b'U. S. Government Printing Office \xe2\x80\xa2 Office of Inspector General\n\nS e m i a n n ua l R e p o r t t o C o n g r e ss\n                  April 1, 2010, through September 30, 2010\n\n\n\n\n              50% Black + 100% Black\n\n\n\n\n              PMS 540 + 100% Black\n\n\n\n\n             White (version for reverse)\n\x0cThe U.S. Government                                        The Office of\nPrinting Office                                            Inspector General\n\n\nF                                                          T\n        or well over a century, the U.S. Government                he Office of Inspector General (OIG) was cre-\n        Printing Office (GPO) has fulfilled the needs of           ated by the GPO Inspector General Act of\n        the Federal Government for information prod-               1988\xe2\x80\x94title II of Public Law 100\xe2\x80\x93504 (October\nucts and distributing those products to the public.        18, 1988) (GPO IG Act). The OIG at GPO is dedicated to\nGPO is the Federal Government\xe2\x80\x99s primary resource for       acting as an agent of positive change\xe2\x80\x94changes that\ngathering, cataloging, producing, providing, authen-       will help GPO improve its efficiency and effectiveness\nticating, and preserving published U.S. Government         as the Agency undertakes an era of unprecedented\ninformation in all its forms. GPO also produces and        transformation. Through evaluation of GPO\xe2\x80\x99s sys-\ndistributes information products and services for each     tem of internal controls, the OIG recommends poli-\nof the three branches of Government.                       cies, processes, and procedures that help prevent and\n      Under the Federal Depository Library Program,        detect fraud, waste, abuse, and mismanagement. The\nGPO distributes a wide range of Government publi-          OIG also recommends policies that promote econ-\ncations in print and online to more than 1,250 public,     omy, efficiency, and effectiveness in GPO programs\nacademic, law, and other libraries across the coun-        and operations.\ntry. In addition to distributing publications through            The OIG informs the Public Printer and Congress\nthat library system, GPO provides access to official       about problems and deficiencies as well as any posi-\nFederal Government information through public              tive developments relating to GPO\xe2\x80\x99s administration\nsales and other programs, and\xe2\x80\x94most prominently\xe2\x80\x94            and operation. To accomplish those responsibilities,\nby posting more than a quarter of a million titles         the OIG conducts audits, assessments, investigations,\nonline through GPO Access (www.gpoaccess.gov).             inspections, and other reviews.\n      Today more than half of all Federal Government\ndocuments begin as digital products and are pub-\nlished directly to the Internet. Such an evolution of\ncreating and disseminating information challenges\nGPO, but it has met those challenges by transform-\ning itself from primarily a print format entity to an\nagency ready, willing, and able to deliver from a dig-\nital platform a high volume of information to a mul-\ntitude of customers.\n      Although a transition to digital technology\nchanges the way products and services are created\nand offered, GPO strives to continually satisfy the\nrequirements of Government and accomplish its\nmission of Keeping America Informed.\n\x0ccon t en ts\n\n\n\n\nMessage from the Inspector General . .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 3\nHighlights of This Semiannual Report . .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 5\nOIG Management Initiatives . .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 6\nPersonnel Updates . .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 7\nCouncil of the Inspectors General on\nIntegrity and Effiency . .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 8\nReview of Legislation and Regulations . .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 8\n\n\nGPO Management Challenges . .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 9\n\n\nOffice of Audits and Inspections . .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 21\nA.\tSummary of Audit and Inspection Activity. .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .                                                          21\nB.\tFinancial Statement Audit. .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .                         21\nC.\tAudit and Inspection Reports . .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .                                 22\nD.\tOngoing Work. .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .     24\nE.\tStatus of Open Recommendations. .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .                                            24\n\nOffice of Investigations . .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 31\nA.\tSummary of Investigative Activity. .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .                                         31\nB.\tTypes of Cases. .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .   32\nC.\tSummary of Investigative Accomplishments. .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .                                                                32\nD.\tOther Significant Activities. .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .                         36\n\nAppendices . .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 37\nA.\tGlossary and Acronyms. .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .                       37\nB.\tInspector General Act Reporting Requirements. .  .  .  .  .  .  .  .  .  .  .  .  .  .  .                                                                     40\nC.\tStatistical Reports . .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .         41\n\tTable C\xe2\x80\x931: Audit Reports with Questioned and\n\tUnsupported Costs . .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .                41\n\tTable C\xe2\x80\x932: Audit Reports with Recommendations\n\tThat Funds Be Put to Better Use . .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .                                      42\n\tTable C\xe2\x80\x933: List of Audit and Inspection Reports Issued\n\t During Reporting Period. .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .                         43\n\tTable C\xe2\x80\x934: Investigations Case Summary . .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .                                                          44\n\tTable C\xe2\x80\x935: Investigations Productivity Summary. .  .  .  .  .  .  .  .  .  .  .  .  .  .                                                                        46\nD.\tPeer Review Results. .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .             47\n\n\n                                        S e m i a n n u a l r e p o r t t o c o n g r e ss                                                                             1\n\x0c\x0c      M e s sag e f ro m t h e\n      Inspector Gener al\n\n\n\n\nThis Semiannual Report to Congress covers the activities of the GPO Office of\nInspector General for the period April 1, 2010 through September 30, 2010.\n     During this reporting period, our Office of Audits and Inspections contin-\nued its oversight activities of the implementation of the Federal Digital System\n(FDsys), as well as the Public Key Infrastructure, which supports critical, digital\nagency functions. The OAI notes 48 open recommendations from previous report-\ning periods requiring management\xe2\x80\x99s attention.\n     The Office of Investigations continues to see growth in the area of contract\nand procurement fraud, as well as employee misconduct cases. Currently, the OI\nhas 50 active complaints and investigations in progress, a significant increase\nover the last reporting period. In order to meet the increasing demands from the\nburgeoning case load, the OI will welcome two new special agents at the begin-\nning of FY 11.\n     We continue to evaluate critical issues facing GPO, and have updated the most\nsignificant management challenges, accordingly. Human capital operations and\nmanagement continues as a critical challenge to the Agency. We remain hopeful\nthat a renewed focus on customer-driven solutions and results will bring about\nmuch needed change and direction. Additionally, we note critical developments\nwith Security and Intelligent Documents that will warrant additional oversight\nefforts by this office.\n     As the GPO OIG remains committed to quality and accountability, we con-\ntinue our own process improvement efforts. As we move into the next fiscal year, the\nOIG will undergo peer reviews of our Audit and Investigative functions, as well as\nan internal review of OIG operations and procedures. Being mindful of improving\nour own operations will only enable the OIG to better fulfill its mission and goals.\n     For more information, please visit our website (www.gpo.gov/oig) and, to\nkeep informed of OIG activities, please sign up to receive automatic email updates.\n\n\n\n\n                                                 J. Anthony Ogden\n                                                 Inspector General\n                                                 U.S. Government Printing Office\n\n\n\n\n                         S e m i a n n u a l r e p o r t t o c o n g r e ss            3\n\x0c\x0cHi g h l i g h t s o f t h i s\nS e mi a n n ua l R e p o r t\n\n\n\n\nT\n         he Office of Audits and Inspections (OAI) issued three new\n         reports during this reporting period. Those three reports\n         included assessments related to the Independent Verification\nand Validation (IV&V) efforts of implementing the Federal Digital\nSystem (FDsys). We also issued an annual report assessing GPO\xe2\x80\x99s Public\nKey Infrastructure (PKI) services.\n     OAI\xe2\x80\x99s significant accomplishments during this reporting period\ninclude the following:\n\tContinued to oversee the efforts of American Systems as it con-\n\xe2\x97\x8f\n\n\n ducted IV&V for the public release of FDsys. We issued two quarterly\n reports this period providing observations and concerns on the pro-\n gram\xe2\x80\x99s technical, schedule, and cost risks as well as requirements\n traceability of those risks and the effectiveness of the program man-\n agement processes in controlling risk avoidance.\n\xe2\x97\x8f   \tIssued the results of an annual review conducted under contract\n     by an Independent Public Accountant (IPA) on GPO\xe2\x80\x99s PKI ser-\n     vices. GPO\xe2\x80\x99s PKI ensures the highest level of protection for elec-\n     tronic information that travels over ordinary, nonsecure net-\n     works. The IPA issued an unqualified opinion that management\xe2\x80\x99s\n     assertion related to the adequacy and effectiveness of controls\n     over its Certification Authority (CA) operations is, in all material\n     respects, fairly stated.\n     The Office of Investigations (OI) opened 8 investigations and 24\ncomplaints for preliminary investigation, while closing 8 investiga-\ntions and 29 complaints (10 of which were closed with no action). At\nthe end of this reporting period, OI had 33 ongoing investigations\nand 17 open complaints. Additionally, three investigations and\nnine complaints were referred to GPO management for potential\nadministrative action.\n     Of the open complaints and investigations, 27 involve alle-\ngations of procurement fraud, which reflects increased OI efforts\nto address procurement and financial fraud vulnerability within\nGPO. The increase in procurement fraud cases is the result in part\n\n\n\n\n                   S e m i a n n u a l r e p o r t t o c o n g r e ss       5\n\x0c    of continued OI engagement with management,                     During this reporting period, OALC accom-\n    Print Procurement officials, and other acquisitions        plished the following:\n    employees.                                                 \tReviewed, edited, and approved four subpoenas;\n                                                               \xe2\x97\x8f\n\n         Several ongoing investigations are being con-          reviewed and edited three audit reports and five\n    ducted in coordination with the Department of               reports of investigation.\n    Justice (DOJ), including its Antitrust Division. As part\n                                                               \t Worked with the IG to develop agenda for OIG-wide\n                                                               \xe2\x97\x8f\n    of those investigations, the IG issued four subpoenas\n                                                                 retreat.\n    for documents this reporting period.\n         OI\xe2\x80\x99s significant accomplishments during this          \tUpdated the OIG 3-year Strategic Plan for discus-\n                                                               \xe2\x97\x8f\n\n\n\n    reporting period include:                                   sion with senior staff.\n\n    \xe2\x97\x8f   \tAs a result of an OI investigation substantiating     \t Supported the IG in his role as the Chair of the\n                                                               \xe2\x97\x8f\n\n\n\n         that a contractor failed to comply with critical        Legislation Committee of the Council of Inspec-\n         contract specifications regarding the security          tors General on Integrity and Efficiency (CIGIE)\n         of personally identifiable information (PII), the       in reviewing and analyzing proposed legislation\n         contractor agreed to pay a $25,000 settlement of        affecting the IG community, soliciting comments,\n         U.S. penalty claims, without admitting wrongdo-         and drafting letters and informal comments for\n         ing or liability.                                       Members of Congress.\n\n    \tThe Agency terminated an employee as a result of\n    \xe2\x97\x8f\n                                                               \t Hired a law clerk for the summer who worked on a\n                                                               \xe2\x97\x8f\n\n\n\n     an OI investigation into allegations the employee           variety of legal research projects.\n     used or attempted to use her position for personal        \t Supported the procurement of an electronic case\n                                                               \xe2\x97\x8f\n\n\n     financial gain and benefit close friends.                   management system for OI.\n    \xe2\x97\x8f   \tThe Agency terminated another employee after          \tOrganized a presentation on Whistleblower Pro-\n                                                               \xe2\x97\x8f\n\n\n         OI determined that employee was convicted of           tection Issues for members of the Council of Coun-\n         a serious drug offense and initiated an inves-         sels to the Inspector General (CCIG).\n         tigation to determine if the employee was sell-       \tActed on a variety of matters as the OIG liaison to\n                                                               \xe2\x97\x8f\n\n         ing drugs on GPO property. The seriousness of          the GPO General Counsel and the GPO Office of\n         the drug offense coupled with false statements         the Chief of Staff, including support with GPO liti-\n         the employee made to investigators formed the          gation and personnel action matters.\n         foundation of the successful administrative case\n         against the employee.\n                                                               OIG Management Initiative s\n          OI continues investigations into allegations\n    of false statements, false claims, and/or bid collu-       During this reporting period, the OIG held an office-\n    sion by GPO print vendors. OI also has the assis-          wide retreat in June 2010 to discuss the vision, direc-\n    tance of the DOJ Antitrust Division, which contin-         tion, and goals of the OIG as well as how to continue\n    ues to evaluate cases for possible criminal and/or         to enhance, improve, and measure the success of its\n    civil action.                                              operations. We have also drafted an updated, 3-year\n          The Office of Administration/Legal Counsel (OALC)    strategic plan. We continued to meet with various\n    provides legal advice and counsel on issues aris-          business units during the reporting period to deter-\n    ing during audits, inspections, and investigations,        mine high-risk areas for the Agency to better focus\n    including opinions regarding legal accuracy and suf-       our resources.\n    ficiency of OIG reports. OALC manages administra-               During the upcoming reporting period we will\n    tive and management issues as well as congressional        work on refreshing our Web site and developing a for-\n    and media relations and requests for information.          mal communications plan with the Agency\xe2\x80\x99s Office\n    OALC reviews and edits audit, inspection, and inves-       of Communications to help educate GPO employ-\n    tigative reports before the IG approves.                   ees and other stakeholders about the role of the OIG,\n\n\n\n6   Off i c e o f I n s p e c t o r G e n e r a l\n\x0cemployee rights, and the importance of reporting\nwrongdoing and cooperating with the OIG.\n\n\nPersonnel Update\nDuring this reporting period, Patricia Bach and David\nHilburg joined OAI as Senior Auditors. Patricia brings\n25 years of audit and accounting experience to the\nOIG from the Department of Energy where she was\na Senior Accountant. Patricia previously held audi-\ntor positions with the Department of Defense and the\nGeneral Services Administration. She has a Bachelor\nof Science degree from the University of West Florida\nand is a Certified Public Accountant. David brings\nmore than 6 years of audit experience from the U.S. Air\nForce Audit Agency where he was an Audit Manager.\nDavid has a bachelor\xe2\x80\x99s degree from Washington\nUniversity and a Master of Science degree from the\nColorado School of Mines.\n     On September 30, 2010, Debra Miller, the              David Hilburg joined the OIG as Senior Auditor. Debra\nAssistant Inspector General for Investigations             Miller, Assistant Inspector General for Investigations,\n                                                           retired after 27 years of federal service.\n(AIGI), retired from federal government service.\nDebbie began her investigator career in 1977 with\nthe Florida Auditor General\xe2\x80\x99s Office investigating         with the mirror manufacturer, at the time the larg-\nwelfare fraud. In 1982, she became a Special Agent         est recovery by the NASA OIG.\nwith the Environmental Protection Agency\xe2\x80\x99s OIG                  In 1998, Debbie joined the Social Security\nwhere she worked in civil and criminal investiga-          Administration (SSA) OIG as a Regional Special Agent\ntions. In that same year, Congress charged that the        in Charge where she oversaw the administrative, oper-\nEPA had mishandled the $1.6 billion toxic waste            ational, and management activities of three investi-\nSuperfund and demanded records from then EPA               gative field divisions. In 2003, Debbie became SSA\nAdministrator Anne Gorsuch. Gorsuch refused and            OIG\xe2\x80\x99s Contract Fraud Program Manager to initiate\nbecame the first agency director in U.S. history to        and develop a contract fraud investigative program.\nbe cited for contempt of Congress. As a result of this     In that capacity, she was the lead agent in a successful\nscandal, Debbie was involved in highly sensitive           case prosecution against a former owner of a Maryland\ninvestigations of alleged misconduct by an Assistant       security firm, its former Chief Operating Officer, and a\nAdministrator and a Regional Administrator, which          long-time General Service Administration employee.\nled to their resignations and financial recoveries         These individuals pled guilty in a bribery and tax eva-\nfor the EPA.                                               sion scheme involving federal security contracts worth\n     After a brief stint as a Financial Investigator for   more than $130 million. The company provided armed\nBlue Cross and Blue Shield of Virginia, she moved to       and unarmed security guards for 18 Federal agencies\nNASA\xe2\x80\x99s OIG where she worked until 1998 on sensi-           at 120 installations in 32 States and territories. The\ntive and complex criminal and civil investigations.        case is the largest corruption case ever prosecuted in\nOne significant achievement at NASA was her work           Maryland, in terms of the size of the contracts involved.\nas the lead agent on the investigation of the Hubble            As the AIGI at GPO OIG, Debbie was critical in\nSpace Telescope primary mirror flaw. That investi-         transforming the Office of Investigations. She started\ngation resulted in a civil settlement of $25 million       with a staff of three Special Agents and a caseload of\n\n\n\n                                                           S e m i a n n u a l r e p o r t t o c o n g r e ss          7\n\x0c    seven contract and procurement fraud cases. In two              On behalf of the CIGIE Legislation Committee,\n    years, she grew the office to seven Special Agents,       the IG wrote letters and communicated with several\n    increased procurement fraud investigations more           congressional committees on various legislative mat-\n    than 200%, and issued a variety of reports to GPO         ters affecting the IG community, most significantly to:\n    management to prevent procurement fraud and               \tConvey the views of the IG community on House\n                                                              \xe2\x97\x8f\n\n    increase protection of sensitive information. She also     of Representatives Bill\xc2\xa04983 (HR 4983), \xe2\x80\x9cTranspar-\n    developed fraud briefings for GPO staff and was suc-       ency in Government Act of 2010,\xe2\x80\x9d which would\n    cessful in obtaining U.S. Marshal Services\xe2\x80\x99 Special        place certain requirements on the IG community\n    Deputations for the OI\xe2\x80\x99s Special Agents.                   to review data for Federal agency awards.\n         Through it all, Debbie was able to successfully\n                                                              \tConvey the sense of the IG community regarding\n                                                              \xe2\x97\x8f\n    raise three beautiful children. She also worked tire-\n                                                               a requirement under Senate Bill 372 (S 372), \xe2\x80\x9cThe\n    lessly as a member of the Women in Federal Law\n                                                               Whistleblower Protection Enhancement Act of\n    Enforcement Association to promote work/life bal-\n                                                               2009,\xe2\x80\x9d that IGs designate a Whistleblower Protec-\n    ance in the workplace. We wish Debbie the best in\n                                                               tion Ombudsman within their offices.\n    her next adventures.\n                                                                   In addition to participating in CIGIE meetings\n                                                              and events, legislative branch IGs meet regularly to\n    Council of the Inspectors                                 promote communication, cooperation, and coordi-\n    Gener al on Integrit y and                                nation with one another on an informal basis. During\n    Efficiency\n                                                              this reporting period, the IGs of the Government\n    On October 14, 2008, the IG Reform Act of 2008,           Accountability Office (GAO) and Library of Congress\n    Public Law 110\xe2\x80\x93409, established the CIGIE. The            hosted meetings in which the following issues were\n    CIGIE addresses integrity, economy, and effective-        discussed and are undergoing consideration:\n    ness issues that transcend individual Government          \t Shared training opportunities for legislative\n                                                              \xe2\x97\x8f\n\n    agencies and helps increase professionalism and the         branch OIG personnel.\n    effectiveness of personnel by developing policies,\n                                                              \xe2\x97\x8f   \tCross-cutting legislative branch audits and\n    standards, and approaches aiding in establishing a\n                                                                   inspections.\n    well-trained and highly skilled workforce in OIGs.\n    The GPO OIG\xe2\x80\x94along with other legislative branch           \tModel performance criteria and standards.\n                                                              \xe2\x97\x8f\n\n\n\n    OIGs\xe2\x80\x94is a member of CIGIE.                                \tOngoing discussions regarding legislative issues\n                                                              \xe2\x97\x8f\n\n\n          The role of the CIGIE includes identifying,          affecting the legislative branch OIG offices.\n    reviewing, and discussing areas of weakness and\n    vulnerability in Federal programs and operations\n                                                              Re view of Legisl ation and\n    for fraud, waste, and abuse, and developing plans         Regul ations\n    for coordinated Government-wide activities that\n    address those problems and promote economy and            The OIG, in fulfilling its obligations under the IG Act,\n    efficiency in Federal programs and operations.            reviews existing and proposed legislation and regula-\n          In May 2009, the IG at GPO was elected to serve     tions relating to programs and operations at GPO. It\n    a 2-year term as Chairman of the CIGIE Legislation        then reports in each semiannual report on the impact\n    Committee. The Legislation Committee provides to the      of legislation or regulations on the economy and effi-\n    IG community helpful and timely information about         ciency of programs and operations administered or\n    congressional initiatives. The Committee also solicits    financed by GPO. The OIG will continue to assist the\n    the IG community\xe2\x80\x99s views and concerns in response         Agency in achieving its goals in that area.\n    to congressional initiatives and requests, and presents         During this reporting period, there were no\n    views and recommendations to congressional enti-          legislative proposals relating to GPO programs and\n    ties and the Office of Management and Budget (OMB).       operations.\n\n\n\n\n8   Off i c e o f I n s p e c t o r G e n e r a l\n\x0cg p o m a nag e m e n t\nch allenges\n\n\n\n\nI\n     n each Semiannual Report to Congress, the OIG identifies\n     for management a list of issues most likely to hamper the\n     Agency\xe2\x80\x99s efforts if not addressed with elevated levels of atten-\ntion and resources. In this report, we update the list of manage-\nment challenges we believe are critical for the Agency to address.\n\n     1. Human Capital Operations and Management. The issues fac-\ning Human Capital (HC) operations and management at GPO were\nidentified as a significant management challenge for several semian-\nnual reporting periods. HC operations are at the heart of effectively\naccomplishing an agency\xe2\x80\x99s mission. In essence, HC provides services\nnecessary to acquire the most precious and important source of pro-\nductivity\xe2\x80\x94its employees.\n     In writing about the challenges of human capital in general, J.\nChristopher Mihm recently notes that \xe2\x80\x9c[d]riven by long-term fiscal\nconstraints, changing demographics, evolving governance models,\nand other factors, the federal government is facing new and more\ncomplex challenges in the twenty-first century and federal agencies\n\n\n                      GPO\xe2\x80\x99s Top 10\n                 Management Challenges\n\n\n  \t      1.\t    Human Capital Operations and Management.\n  \t      2.\t    Information Technology Management and Security.\n  \t      3. \t   Security and Intelligent Documents.\n  \t      4. \t   Internal Controls.\n  \t      5. \t   Protection of Sensitive Information.\n  \t      6. \t   Acquisitions and Print Procurement.\n  \t      7. \t   Financial Management and Performance.\n  \t      8.\t    Continuity of Operations.\n  \t      9. \t   Strategic Vision and Customer Service.\n  \t     10. \t   Sustainable Environmental Stewardship.\n\n\n\n\n                  S e m i a n n u a l r e p o r t t o c o n g r e ss    9\n\x0c     must transform their organizations to meet these                    Among the significant findings of the OPM\n     challenges. Strategic human capital management                 audit were that GPO (1) does not have a fully func-\n     must be the centerpiece of any serious change in               tioning accountability system that ensures efficient\n     management strategy.\xe2\x80\x9d1 In today\xe2\x80\x99s environment,                 and compliant DE operations; (2) has significant\n     successful HC operations are \xe2\x80\x9cresults-oriented, cus-           problems in transaction processing, particularly\n     tomer-focused, and collaborative.\xe2\x80\x9d2                            regarding the critical on-boarding process that\n          GAO identified four critical areas related to             establishes new hires; (3) lacks consistent updated\n     Strategic HC Management that the OIG believes are              guidance addressing DE processes; (4) has used HC\n     relevant to GPO:                                               Specialists in DE work before completing certifica-\n     \xe2\x97\x8f\t Leadership . Top leadership must provide com-\n                                                                    tion training, which is prohibited by the Interagency\n        mitted and inspired attention needed to address             DE Agreement with OPM; and (5) is not using annual\n        human capital transformation issues.                        trend data regarding opportunities to hire veterans,\n                                                                    or the results of annual self-audits to improve pro-\n     \xe2\x97\x8f\t Strategic Human Capital Planning . HC planning\n                                                                    gram operations.\n        efforts must be fully integrated with mission and\n                                                                         GPO HC management acknowledged prob-\n        critical program goals.\n                                                                    lems with its transaction processing, particularly\n     \xe2\x97\x8f\t Acquiring, Developing, and Recruiting Talent. Agen-\n                                                                    the on-boarding processes, with the OIG expe-\n        cies need to augment strategies to recruit, hire,           riencing an 80-percent error rate. OPM recom-\n        develop, and retain talent.                                 mended that GPO consider an outsourcing pilot of\n     \xe2\x97\x8f\t Results-oriented Organizational Cultures. Organiza-         human resources services for the OIG, noting that\n        tional cultures must promote high performance and           as an independent organization, the GPO OIG is\n        accountability, empower and include employees in            an ideal candidate because many other OIGs have\n        setting and accomplishing programmatic goals, and           outsourced their human resources services. With\n        develop and maintain inclusive and diverse work-            such a pilot, GPO could track efficiency, effective-\n        forces reflective of all segments of society.3              ness, and cost of the outsourcing option to com-\n           We continue to be concerned that management              pare w ith its own HC operations. In response\n     has not placed enough emphasis on addressing the               to the OPM recommendation and with the sup-\n     four areas that GAO cites to transform HC operations           port of the Public Printer and Chief Management\n     and management. During this                                                            Officer, the OIG proposed an\n     reporting period, OPM issued\n                                                     In today\xe2\x80\x99s environment,                Interagency Agreement with\n     audit findings about GPO\xe2\x80\x99s del-                successful HC operations                OPM for such services dur-\n     egated competitive examining                                                           ing fiscal year (FY) 2011.\n                                                are \xe2\x80\x9cresults-oriented, customer-                 In its response to OPM\xe2\x80\x99s\n     (DE) operations. OPM found\n     that while most of the DE oper-              focused, and collaborative.\xe2\x80\x9d              aud it, GPO HC m a nage-\n     ations are being conducted                                                             ment admits \xe2\x80\x9cthe need for\n     compliantly, a \xe2\x80\x9clack of a viable accountability system\xe2\x80\x9d        improvement     in certain key areas regarding plan-\n     contributed to two illegal appointments and resulted           ning, documenting, and accountabilit y\xe2\x80\x9d and\n     \xe2\x80\x9cin inconsistent operations as well as inefficiencies.\xe2\x80\x9d        indicates either planned or initiated actions for\n                                                                    addressing required and recommended actions.\n                                                                    We encourage management to undertake and com-\n     1\n      \xe2\x80\x82 \xe2\x80\x9cHuman Capital: Federal workforce challenges in the         plete any action necessary to address OPM\xe2\x80\x99s rec-\n     Twenty-first Century,\xe2\x80\x9d in Hannah S. Sistare, Myra Howze\n                                                                    ommendations as quickly as possible. For HC to\n     Shiplett and Terry F. Buss, eds., Innovations in Human\n     Resource Management: Getting the Public\xe2\x80\x99s Work Done in         successfully transform to a high-performing busi-\n     the 21st Century (New York: M.E. Sharpe, Inc., 2009), 13.      ness unit, it must produce a change in its culture to\n     2\n      \xe2\x80\x82 Id., 19.\n     3\n                                                                    achieve \xe2\x80\x9cresults-oriented, customer-focused, and\n      \xe2\x80\x82 GAO Report GAO-09-632T, http://www.gao.gov/new.\n     items/d09632t.pdf.                                             collaborative\xe2\x80\x9d HC solutions.\n\n\n\n10   Off i c e o f I n s p e c t o r G e n e r a l\n\x0c     We also believe that the Agency faces challenges\nin acquiring, developing, and retaining a diverse,\nqualified workforce with the right sets of skills for\nmeeting both the Agency\xe2\x80\x99s needs today and in the\nfuture. In September 2008, we completed a con-\ngressionally requested audit of GPO\xe2\x80\x99s diversity pro-\ngrams, particularly those related to establishing a\nmore diverse population in senior leadership posi-\ntions. The audit revealed that while GPO voluntarily\nadopted several components for establishing a model\nFederal Government diversity program, improve-\nments could be made toward enhancing diversity of\nthe Agency\xe2\x80\x99s corps of senior-level employees. We rec-\nommended that the Public Printer adopt all or a com-\nbination of the leading practices that GAO recom-        through implementation of new systems and retire-\nmends for establishing a model Federal Government        ment of the older legacy systems. FDsys, human\nprogram. During this reporting period, we closed         resource systems, and GBIS releases are now oper-\nthose recommendations.                                   ational. Additionally, in FY 2009, IT&S completed\n                                                         an Agency-wide rollout of an enhanced Time and\n2. Information Technology Management and Security.       Attendance application (WebTA).\nAs GPO transforms to a highly efficient and secure           The following areas are significant IT issues\nmultimedia digital environment, management of            confronting the Agency:\nthe Agency\xe2\x80\x99s information technology (IT) resources            a. Compliance with the Federal Information\nis critical. Acquisition, implementation, and sus-       Security Management Act\ntainment of engineering issues associated with IT             Because GPO provides services to executive\nresources and the Information Technology and             branch agencies that must comply with the Federal\nSystems (IT&S) Business Unit (including security         Information Security Management Act (FISMA) of\nissues) pose new management challenges.                  2002, GPO chose to substantially comply with the\n      Noteworthy challenges for IT&S include estab-      principles of the Act. Complying with FISMA pres-\nlishing and maintaining a top-level Enterprise           ents additional challenges for IT&S, including pro-\nArchitecture as well as support for several signifi-     tecting sensitive Agency systems, information, and\ncant initiatives, including FDsys, the e-Passport sys-   data. During FY\xc2\xa02007, the OIG conducted a baseline\ntem, digital publication authentication using a PKI,     assessment of compliance with FISMA to identify\ninformation system management, implementation            any gaps and deficiencies in GPO\xe2\x80\x99s overall infor-\nof the GPO Business Information System (GBIS) (an        mation security program, including critical sys-\nOracle solution), and implementation of electronic       tems. We completed a full FISMA assessment in\nhuman resources systems.                                 FY\xc2\xa02009. The scope included evaluating GPO prog-\n      Legac y systems increasing ly in h ibit t he       ress in complying with FISMA based on the 2007\nAgency\xe2\x80\x99s ability to respond to customer needs and        assessment. Our most recent assessment noted that\nmust be replaced. To create a plan that will help mit-   while GPO has made some progress in complying\nigate risks for aging legacy systems, IT&S analyzed      with FISMA, additional improvements are needed.\nlegacy applications and their impact on business         During this reporting period, IT&S continued to\noperations. As a result, IT&S recently completed         progress in addressing recommendations made in\na 5-year strategy for improving the level of system      our 2009 assessment.\nsupport and has begun executing the plan. The                 Looking forward, the potential changes to\nstrategy they developed should guide the Agency          FISMA resulting from draft legislation before\n\n\n\n                                                         S e m i a n n u a l r e p o r t t o c o n g r e ss    11\n\x0c     Congress present IT&S with areas to monitor and                      Testing \xe2\x80\x93 IV&V includes activities regarding the\n     incorporate into GPO\xe2\x80\x99s FISMA planning process.                  Master Test Plan and test efforts performed by the\n          b. Implementation of the Federal Digital System            FDsys implementation team and the IT&S System\n          The FDsys will be a comprehensive informa-                 Test Branch to verify adequacy and completeness of\n     tion life-cycle management system that will ingest,             testing activities.\n     preserve, provide access to, and deliver content from             The FDsys program has undergone substan-\n     the three branches of the Federal Government. The           tial changes since its inception. During the fall of\n     system is envisioned as a comprehensive, systematic,        2007, the schedule and scope for the first release\n     and dynamic means of preserving electronic content          was changed significantly and a final release with\n     free from dependence on specific hardware and/or            a reduced scope was planned for late 2008. In early\n     software. As of September 30, 2010, GPO expended            2008, GPO implemented a reorganization of the pro-\n     approximately $41 million (unaudited) to deploy             gram with respect to Government and contractor\n     FDsys Release 1, substantially exceeding the origi-         participation and responsibilities, and implemented\n     nal planned cost of $16 million.                            a new design for FDsys. The GPO FDsys Program\n          FDsys has three major subsystems: the content          Management Office (PMO) assumed the role of the\n     management subsystem, the content preservation              Master Integrator previously held by a Contractor.\n     subsystem (accessible to GPO internal users only), and      The PMO also assumed the responsibility for design-\n     the access subsystem for public content access and          ing and managing system development. The original\n     dissemination. A multi-year, multi-release integra-         Master Integrator Contractor and other contractors\n     tion effort is being used to design, procure, develop,      were assigned system development roles under the\n     integrate, and deploy selected technologies and com-        overall guidance of the PMO.\n     ponents of FDsys.                                                 In January 2009, GPO deployed a public beta\n          The OIG is responsible for IV&V work associated        version of the FDsys access subsystem, containing\n     with developing and implementing FDsys. Under the           8 of the 55 data collections in the GPO Access sys-\n     supervision and direction of                                                        tem. The content manage-\n     the OIG, American Systems                                                           ment and content preserva-\n                                                As of September 30, 2010,\n     conducts programmatic and                                                           tion subsystems, supporting\n     technical evaluations of the           GPO expended approximately                   the Internal Service Provider,\n     FDsys program to determine            $41 million (unaudited) to deploy             Congressional Publishing\n     whether system implemen-                                                            Spe c i a l i st , P re s er v at ion\n     tation is consistent with the\n                                             FDsys Release 1, substantially              Specialist, and Report user\n     FDsys project plan and cost            exceeding the original planned               roles, was released in late\n     plan and meets GPO require-                    cost of $16 million.                 March 2009. Since deploy-\n     ments. Additionally, IV&V                                                           ment, the PMO has contin-\n     monitors development and program management                 ued to update/upgrade the beta system and correct\n     practices and processes to anticipate potential issues.     deficiencies identified during testing.\n     Specific IV&V tasks include:                                      During this reporting period, the PMO com-\n          Program Management \xe2\x80\x93 IV&V includes activities          pleted deployment of 6 post-Release 1 produc-\n     regarding the cost, schedule, and risk associated with      tion  builds. The builds nearly complete migration\n     development and implementation to evaluate overall          of data   from the existing GPO Access system to\n     program management effectiveness.                           FDsys,   and implement resolutions of 281 software\n                                                                 Program Tracking Reports (PTRs). The Continuity\n          Technical \xe2\x80\x93 IV&V includes activities regarding\n                                                                 of Operations (COOP) capability, a critical step in the\n     the resources, system requirements, architecture and\n                                                                 transition from GPO Access to FDsys as the \xe2\x80\x9csystem\n     design documents, and other critical deliverables asso-\n                                                                 of record,\xe2\x80\x9d has not yet been implemented. However,\n     ciated with FDsys development and implementation.\n\n\n\n12   Off i c e o f I n s p e c t o r G e n e r a l\n\x0cPMO documentation reflects substantial progress          to meet expected performance. As of September\nin terms of the design, development, and testing for     30, 2010, nearly 600 PTRs created since the ini-\nboth the Continuity of Access (COA) (to support the      tial beta deployment of Release 1 (in March 2009)\npublic users) and the full COOP.                         remain open and unresolved. The on-going need to\n      Although the FDsys program continues to prog-      address these PTRs consumes program resources\nress, a number of issues remain. Based on the infor-     and reduces PMO ability to develop and deploy\nmation contained in the FDsys Release 1 Completion       new functionality.\nPlan dated October 1, 2010, the PMO completed the              This brief assessment does not mean to imply\nFinal Sunset Release and deployed this Release to        that the FDsys program lacks effort or has failed to\nthe Production System as scheduled on September          produce a viable product. The FDsys Release 1 beta\n30, 2010. However, this does not mean that the PMO       system has received praise and notoriety for its look,\nmet their goal of sun-setting GPO Access and imple-      feel, and ease of use. The PMO has also dealt with\nmenting FDsys as GPO\xe2\x80\x99s official system of record. The    external commitments/requests (for example, avail-\nFDsys Release 1 Completion Plan has been modified        ability of bulk data) that have altered internal priori-\ntwice since then. The latest version of the Plan indi-   ties and resulted in the delay of work on the develop-\ncates that the non-developmental activities that are     ment of all the capabilities envisioned for the release.\nrequired to sunset GPO Access were eighty-two per-       In addition, the migration of data from GPO Access\ncent complete with transition from GPO Access to         to FDsys has been an extremely difficult undertak-\nFDsys planned for December 23, 2010. GPO contin-         ing and required more time and resources than the\nues to operate and maintain two systems. FDsys is        PMO originally anticipated.\nstill a beta system, and GPO Access continues as the           The OIG continues to believe that the primary\nofficial system of record.                               challenges for the FDsys program are in the areas\n      A continuing concern for the FDsys program         of program management, system engineering lead-\nis the quality of the deployed system. While the         ership and technical direction, and an adequate\ntesting effort is better and more rigorous, the test     test program for the FDsys system. The goal of our\nteam is still identifying software problems before       on-going IV&V efforts is to report key risks and\nmajor production builds are deployed. These              issues to the PMO and management and provide\nproblems, documented as PTRs, describe errors/           value-added recommendations that will help miti-\ndeficiencies in system operation and/or failures         gate any risks.\n\n\n\n                                                         S e m i a n n u a l r e p o r t t o c o n g r e ss         13\n\x0c     3. Security and Intelligent Documents. As the Federal          The OIG is in the process of finalizing an audit\n     Government\xe2\x80\x99s leading provider of secure creden-          of GPO\xe2\x80\x99s secure personalization system (SECAPS)\n     tials and identity documents, GPO management             IT security controls. SECAPS is the baseline for per-\n     regards Security and Intelligent Documents (SID)         sonalization operations that supports various GPO\n     as a business unit best exemplifying the Agency\xe2\x80\x99s        customer identity card programs, including TTP\n     transformation toward high-technology production.        and CMS. Because SECAPS handles PII, the OIG\n     Because of SID\xe2\x80\x99s growing strategic importance for        placed particular audit emphasis on security con-\n     the Agency\xe2\x80\x99s transformation efforts and its sensitive    trols over PII. The audit included a security evalua-\n     work in areas of national security, the OIG closely      tion of SECAPS physical controls, system intercon-\n     monitors management\xe2\x80\x99s efforts in developing for-         nections and transmission of PII, operating systems\n     mal, internal security controls of these products,       and database systems supporting SECAPS, and\n     and will continue to emphasize oversight of all SID      purging PII. The OIG expects to issue the report in\n     operations and programs.                                 November 2010.\n           During this reporting period, SID manufactured           In 2005, the OIG recommended that GPO adopt\n     more than 7.7 million electronic passports (e-Pass-      International Organization for Standardization\n     port) for the Department of State. The Washington,       (ISO) 9000 standards for passport production. 5\n     D.C., facility produced more than 5.4 million pass-      Standards help promote best practices for manage-\n     ports, while the Secure Production Facility (SPF)        ment systems and occupational health and safety in\n     located as a COOP site in                                                            a production environment. In\n     Stennis, Mississippi, pro-               GPO management regards                      July 2010, the SPF at Stennis\n     duced more than 2.3\xc2\xa0million.                                                         and SID personnel success-\n                                                Security and Intelligent\n     During F Y 2010, t he total                                                          f u lly completed required\n     passport production volume Documents (SID) as a business unit                        aud its, ma k i ng t he faci l-\n     for the Department of State            best exemplifying the Agency\xe2\x80\x99s                ity ISO 9001-certified. This\n     was 13,275,300 passports.                                                            globally recognized certifi-\n           SID continues to operate\n                                                transformation toward                     cation is a significant accom-\n     the Washington, D.C.-based              high-technology production.                  plishment. According to SID,\n     Secure Credential Center                                                             the Washington, D.C., secure\n     (SCC), which supports the Department of Homeland         facilities and SID personnel are also on schedule to\n     Security\xe2\x80\x99s Customs and Border Protection (DHS/CBP)       be ISO 9001-certified in November 2010. SID is also\n     Trusted Traveler Programs (TTP).4 SID reports that       working to complete a library of standard operating\n     the SCC produced 199,477 Trusted Traveler cards          procedures that will lay the foundation for future\n     during FY 2010. During this reporting period, SCC        Occupational Health and Safety Assessment Series\n     also produced, personalized, and distributed for the     (OHSAS) 18001 certification.6\n     Department of Health and Human Services Center\n     for Medicare and Medicaid Service\xe2\x80\x99s (CMS) Medicare       5\n                                                                \xe2\x80\x82 The International Organization for Standardization,\n     identification cards to citizens of Puerto Rico. Rather  or ISO, is the world\xe2\x80\x99s largest developer and publisher of\n     than producing blank e\xe2\x80\x91Passports, which do not           international standards. ISO 9000 family of standards\n     entail the \xe2\x80\x9cpersonalization\xe2\x80\x9d of the credential with      represents an international consensus on good quality\n                                                              management practices. It consists of standards and\n     a citizen\xe2\x80\x99s personal information, the TTP and CMS        guidelines relating to quality management systems and\n     programs entail the use of PII by GPO to produce         related supporting standards.\n                                                              6\n     identity cards.                                            \xe2\x80\x82 OHSAS 18001 is an Occupation Health and Safety\n                                                                  Assessment Series for health and safety management\n                                                                  systems. It is intended to help an organization control\n     4\n      \xe2\x80\x82 TTPs provide expedited travel for preapproved, low-risk   occupational health and safety risks. It was developed\n     travelers through dedicated lanes and kiosks by providing    in response to widespread demand for a recognized\n     those travelers secure identification cards.                 standard against which to be certified and assessed.\n\n\n\n\n14   Off i c e o f I n s p e c t o r G e n e r a l\n\x0c                                                             in FY 2011. Eliminating costly third party commer-\n                                                             cial test laboratory expenses for required product\n                                                             evaluations, the laboratory will also provide an\n                                                             environment of greater governmental control and\n                                                             security. The secure facilities are under construc-\n                                                             tion, equipment has been ordered, and personnel\n                                                             are being trained to support this crucial secure\n                                                             product-testing environment.\n                                                                  In cooperation with the Department of State\xe2\x80\x99s\n                                                             Bureau of Consular Affairs, the Agency issued a\n                                                             Request for Proposal in June 2010 for procurement of\n                                                             e-Covers used in manufacturing U.S. Passports. The\n                                                             proposed e-Covers will be compatible with existing\n                                                             GPO manufacturing and Department of State pass-\n      SID also reports continuation of 5S audits at          port personalization processes, and must meet vari-\nboth plant locations. 5S is a methodology intended to        ous external applicable requirements and standards,\nimprove efficiencies in manufacturing process flows,         including those of the International Civil Aviation\nequipment use and placement, and environmental               Organization (ICAO) and ISOs.\nhousekeeping standards. SID also continues its work\nto complete the certification process for SCC to become      4. Internal Controls. GPO management establishes\na GSA-qualified secure card graphical personaliza-           and maintains a system of internal controls for\ntion facility. Such a certification will allow SCC to han-   effective and efficient operations, reliable financial\ndle, personalize, and distribute Homeland Security           reporting, and compliance with laws and regula-\nPresidential Directive 12 (HSPD-12) cards. The audits        tions. As the GAO notes in its Standards of Internal\nfor certification were completed as planned in May           Control in the Federal Government, internal control\n2010, and GSA should complete its assessment in              \xe2\x80\x9calso serves as the first line of defense in safeguard-\nNovember 2010. This certification will allow the SCC         ing assets and preventing and detecting errors and\nto more comprehensively serve Federal Government             fraud.\xe2\x80\x9d Almost all OIG audits include assessments of\norganizations in the area of secure credentials.             a program, activity, or function\xe2\x80\x99s control structure.\n      SID is developing a capability to manufacture                Our audits continue to identify issues related\nsecure blank card bodies through the procurement of          to internal controls. For example, the OIG issued an\ncard lamination and punch equipment and technolo-            audit report during the last reporting period that dis-\ngies that will result in more secure and controlled card     cusses internal controls associated with the security\nproduction as well as lower costs and better service to      of GPO\xe2\x80\x99s e-Passport supply chain. As part of that audit,\nGPO\xe2\x80\x99s agency customers. In September 2010, SID took          we determined whether GPO had formal documented\ndelivery of card lamination and punch equipment as           policies, procedures, techniques, or mechanisms in\nwell as the process of installation and development of       place to implement a security process for its e-Passport\nstandard operating procedures. Operator training is          supply chain and whether an organizational structure\nunderway. SID should be able to manufacture secure           was in place that clearly defines key areas of authority,\nblank card bodies during FY 2011.                            responsibility, and appropriate lines of reporting for\n      SID is also establishing a Secure Credential           e-Passport supply chain security. The audit revealed\nTesting Laboratory that will conduct regular per-            that a control deficiency existed because GPO did not\nformance, durability, and quality tests of passports         have a formal, Agency-wide process for ensuring secu-\nand credential products. The Secure Credential               rity for the e\xe2\x80\x91Passport supply chain, as basic Federal\nTesting Laboratory is expected to be operational             Government internal control standards require.\n\n\n\n\n                                                             S e m i a n n u a l r e p o r t t o c o n g r e ss          15\n\x0c           The annual financial statement audit also                 safeguards for PII, and maintain accurate, relevant,\n     addresses internal control issues and provides man-             timely, and complete PII information. As reported in\n     agement with recommendations for corrective actions.            OIG Report 07-09, \xe2\x80\x9cGPO Compliance with the Federal\n     Although management recognizes the need for improv-             Information Security Management Act (FISMA),\xe2\x80\x9d\n     ing the internal control environment to successfully            dated September 27, 2007, and again in our FISMA\n     implement its strategic vision and planned future initia-       Report 10\xe2\x80\x9303 dated January 12, 2010, GPO is pro-\n     tives, Agency action is important because of implemen-          gressing with efforts to protect PII contained in infor-\n     tation of Statement on Auditing Standards (SAS) No.\xc2\xa0112,        mation systems. GPO Directive 825.41, \xe2\x80\x9cProtection\n     \xe2\x80\x9cCommunicating Internal Control Related Matters                 of Personally Identifiable Information,\xe2\x80\x9d issued\n     Identified in an Audit.\xe2\x80\x9d SAS No.\xc2\xa0112 establishes stan-          March\xc2\xa030, 2010, establishes a framework for protect-\n     dards and provides guidance on communicating mat-               ing PII at GPO.\n     ters related to an entity\xe2\x80\x99s internal control over financial             In response to recommendations included in\n     reporting identified in a financial statement audit. The        a February 2009 Management Implication Report\n     standard requires that the auditor communicate con-             regarding the handling of PII, the Public Printer\n     trol deficiencies that are \xe2\x80\x9csignif-                                                        appoi nted a sen ior-level\n     icant deficiencies\xe2\x80\x9d and \xe2\x80\x9cmate-                                                             manager as Privacy Officer\n                                                 Internal control \xe2\x80\x9calso serves\n     rial weaknesses.\xe2\x80\x9d During the FY                                                            (PO) during the last report-\n     2009 financial statement audit,              as the first line of defense in               ing period. The primary duty\n     KPMG, LLP, (KPMG) identified           safeguarding assets and preventing for the PO is to implement\n     two significant internal control                                                           Directive 825.41. The PO will\n                                              and detecting errors and fraud.\xe2\x80\x9d\n     deficiencies it did not consider                                                           also review PII in each of\n     material weaknesses. The sig-                                                              the Agency\xe2\x80\x99s business units,\n     nificant deficiencies KPMG identified were related to           reduce PII to the minimum necessary, develop a\n     (1) financial reporting controls, and (2) IT general and        schedule for periodic review of PII, establish a plan to\n     application controls. The deficiencies will be followed         eliminate the unnecessary collection and use of social\n     up on during the FY 2010 financial statement audit,             security numbers, and establish an incident response\n     which is ongoing. An evaluation of internal controls            plan to handle breaches of PII. The OIG is monitoring\n     continues an area of emphasis for all OIG audits.               implementation of GPO Directive 825.41 to ensure that\n                                                                     safeguards are in place, implemented, and followed.\n     5. Protection of Sensitive Information. GPO has had to                  During this reporting period, GPO hired a new pri-\n     establish rules of conduct and appropriate admin-               vacy program manager (PPM) to help the PO implement\n     istrative, technical, and physical safeguards that              GPO Directive 825.41. The PPM has met with various\n     adequately identify and protect sensitive informa-              GPO Business Units, identified what PII is at GPO, where\n     tion. Failure to have such rules and safeguards could           it is located, and how it is safeguarded. The PPM estab-\n     result in harm, embarrassment, inconvenience, or                lished a Privacy Incident Response Team and incident\n     unfairness to individuals and GPO, including pos-               handling timeline so that GPO can respond appropri-\n     sible litigation. Of particular importance is the need          ately to any privacy related incident. In addition, each\n     to safeguard against and respond to any breach                  Business Unit has designated a Privacy Point of Contact\n     of PII, including PII in both information systems               who will work closely with the PPM to ensure that any\n     and paper documents. In accordance with OMB                     existing or new projects adhere to GPO\xe2\x80\x99s privacy protec-\n     Memorandum 06-15 and OMB Memorandum 07-16,                      tion policies. The PPM is working with GPO University\n     executive branch agencies must implement policies               to develop a training curriculum for all GPO employees\n     and procedures that protect and respond to a breach             and contractors on their responsibilities for protecting\n     of PII as far back as the middle of 2007.                       PII and complying with established guidelines.\n           FISMA requires that each agency establish rules                   Finally, the Agency issued new, updated forms\n     of conduct for persons involved with PII, establish             for Agency customers\xe2\x80\x94t he SF-1 Binding and\n\n\n\n16   Off i c e o f I n s p e c t o r G e n e r a l\n\x0cRequisition Form and the GPO 4044 (Simplified\nPurchase Agreement Work Order)\xe2\x80\x94that will now\nrequire that customers indicate whether documents\nare classified, sensitive but unclassified (SBU), or\ncontain PII. The forms were revised, in part, in\nresponse to the OIG\xe2\x80\x99s recommendations to improve\nGPO processes concerning handling classified and\nsensitive but unclassified materials, in addition to\nother instances regarding the handling of PII. We\napplaud the agency for moving forward with these\nefforts to address PII protection at GPO.\n\n6. Acquisitions and Print Procurement. As with other\nFederal agencies, GPO faces challenges in its acqui-\nsition functions. Acquiring goods and services, espe-\ncially those necessary to transform the Agency and\nprovide services to its Federal customers in an effi-\ncient, effective, accountable, and environmentally\nconscious manner, is essential. With more than $650\nmillion in acquisitions during FY 2009, we remain con-\ncerned that the Agency has not devoted the resources\nnecessary for conducting an independent assessment          security of the e\xe2\x80\x91Passport supply chain and other\nof acquisition services that will identify gaps in effec-   ongoing audits. As our audit of the e-Passport sup-\ntive performance and implement a plan for resolving         ply chain revealed, of the 10 significant e-Passport\ncritical issues, as the Services Acquisition Reform Act     supplier contracts reviewed, 5 lacked critical infor-\nof 2003 and OMB guidelines require.                         mation that the Agency\xe2\x80\x99s Materials Management\n      During 2009, OMB provided guidelines to exec-         Acquisition Regulation (MMAR) requires. Such con-\nutive branch agencies requiring that they conduct           tract file information is critical to the OIG so we can\ninternal reviews of the acquisition function required       review and investigate Agency contracting actions\nunder OMB Circular No. A-123. OMB used the GAO              and administration. Acquisition Services should\n\xe2\x80\x9cFramework for Assessing the Acquisition Function           comply with the MMAR by properly documenting\nat Federal Agencies\xe2\x80\x9d as the standard assessment             contract files.\napproach.7 Although GPO is not required to follow                Additionally, we identified that a signifi-\nOMB guidelines in that area, we believe that the            cant number of e-Passport supplier contracts did\nAgency would greatly benefit from a review of its           not contain security-related requirements or lan-\nAcquisition Services. Although the Public Printer           guage that would have given the Agency the right to\nannounced in his June 7, 2010, letter to Congress that      review, authorize the subcontracting of, and inspect\nsuch an independent assessment would be com-                the operations of companies that provide critical\npleted by the end of this reporting period, the OIG         components for the e-Passport. Acquisition Services\nhas not yet received the assessment report.                 should work with the Office of General Counsel and\n      We are also concerned about other specific            SID to ensure that all contracts related to e-Passports,\nissues regarding Agency contract administra-                and other sensitive identity products, include the\ntion, as evidenced in part by our recent audit of the       appropriate language about proper security plans\n                                                            and oversight rights.\n7\n  \xe2\x80\x82 GAO Report GAO-05-218G, September 2005, http://              Finally, we note that the Improper Payments\nwww.gao.gov/new.items/d05218g.pdf.\n                                                            Elimination Improvement Act was signed into law\n\n\n\n                                                            S e m i a n n u a l r e p o r t t o c o n g r e ss         17\n\x0c     on July 22, 2010. That 2010 Act amends the Improper      financial reporting controls, and (2) IT general and\n     Payments Information Act of 2002 by requiring that       application controls.8\n     executive branch agencies periodically identify and            With respect to financial reporting controls,\n     review programs and activities susceptible to signifi-   KPMG identified specific deficiencies concerning\n     cant improper payments and report on any actions         review and reporting of general property, plant, and\n     to reduce or recover improper payments in accor-         equipment; certain reconciliation controls; and con-\n     dance with guidance OMB plans to issue. Although         trols over compilation of statement of cash flows.\n     GPO is not covered by law, we urge management to         Deficiencies with the design and/or operations of\n     undertake this type of review so that it can develop     GPO\xe2\x80\x99s IT general and application controls were noted\n     actions that will reduce or recover any improper pay-    in security management, access controls, config-\n     ments. We expect to review efforts by the Agency in      uration management, and contingency planning.\n     this area in the future.                                 Financial management and performance and the\n                                                              Agency\xe2\x80\x99s ability to provide timely, accurate, and use-\n     7. Financial Management and Performance. Over            ful financial information will continue to be a man-\n     the years, financial management and performance          agement concern. Each of the identified weaknesses\n     has been identified by many agencies, includ-            and deficiencies will be followed up on as part of the\n     ing GPO, as a significant management challenge.          FY 2010 financial audit, which is in progress.\n     Federal agencies continue to face challenges pro-\n     viding timely, accurate, and useful financial infor-     8. Continuity of Operations. GPO\xe2\x80\x99s ability to con-\n     mation and managing results. Better budget and           tinue its mission essential functions of congressional\n     performance integration has become even more             printing and publishing, production of the Federal\n     critical for results-oriented management and effi-       Register, and production of blank passport books for\n     cient allocation of scarce resources among compet-       the Department of State during a disruption in opera-\n     ing needs. OIG auditors and contractors they over-       tions continues to be a significant area of concern. A\n     see are vital in keeping the Federal Government\xe2\x80\x99s        power loss incident in 2009, which directly affected\n     financial information and reporting transparent,         production of the Congressional Record, brought the\n     valid, and useful to agency decision makers and          COOP issue to the forefront and underscored the crit-\n     other stakeholders.                                      ical nature of the Agency\xe2\x80\x99s ability to continue essen-\n           GPO has completed migration of current busi-       tial functions during a disruption of operations. A\n     ness, operational, and financial systems, including      public-facing server outage in 2009 also raised issues\n     associated work processes, to an integrated system of    concerning the capability of GPO to maintain com-\n     Oracle enterprise software and applications known        munications with external stakeholders and employ-\n     as the Oracle E-Business Suite. The new system is        ees during a COOP event to include Web-based con-\n     intended to provide GPO with integrated and flex-        tent as well as e-mail.\n     ible tools that support business growth and customer           The Agency continues with the necessary steps\n     technology requirements for products and services.       for enhancing its COOP posture, including planning\n           The OIG continues to oversee the activities of     and conducting exercises with scenarios that test\n     KPMG, the IPA conducting the annual financial            alternate production facilities and procedures for\n     statement audit. KPMG expressed an unqualified\n     opinion on GPO\xe2\x80\x99s FY 2009 financial statements, stat-     8\n                                                                \xe2\x80\x82 A significant deficiency is defined as a deficiency, or\n     ing that the Agency\xe2\x80\x99s financial statements were fairly   combination of deficiencies, in internal control that is less\n                                                              severe than a material weakness, yet important enough\n     presented, in all material respects, and in confor-\n                                                              to merit attention by those charged with governance.\n     mity with generally accepted accounting principles.      A material weakness is a deficiency, or combination\n     Although GPO addressed previous material weak-           of deficiencies, in internal control, such that there is a\n                                                              reasonable possibility that a material misstatement of\n     nesses, KPMG identified two significant deficiencies\n                                                              the entity\xe2\x80\x99s financial statements will not be prevented, or\n     it did not consider material weaknesses, including (1)   detected and corrected on a timely basis.\n\n\n\n18   Off i c e o f I n s p e c t o r G e n e r a l\n\x0cnotifying essential personnel. Accomplishments dur-       creating a culture of customer service, support of\ning the last reporting period included an Executive       the Administration\xe2\x80\x99s initiative on transparency, and\nOffices COOP exercise in February 2010. The exer-         a collaborative approach to fiscal responsibility. As\ncise was the first involving executive leadership and     of the end of this reporting period, management has\nsome support units, and included relocating to a non-     not provided the OIG with an update to the Agency\xe2\x80\x99s\nGPO facility for strategy and decision-making. The        Strategic Vision.\nprimary goal of the exercise was to familiarize the\nappropriate personnel with the procedures and situa-      10. Sustainable Environmental Stewardship. As the\ntion of working out of a non-GPO building to manage       largest industrial manufacturer in the District of\nthe first phase of a COOP event. Although all of the      Columbia, GPO has always faced challenges to\ngoals were demonstrated, there were areas needing         become more environmentally sensitive. The Public\nimprovement and recommendations made for fur-             Printer has made central to his administration \xe2\x80\x9cthe\nther improving the Agency\xe2\x80\x99s COOP posture. These           call to sustainable environmental stewardship\xe2\x80\x9d\nareas will be further tested as part of the Agency\xe2\x80\x99s      and to attempt to be green in virtually every step of\nCOOP plans for FY 2011.                                   the printing process. Previously, the Public Printer\n                                                          outlined a plan that would help GPO become more\n9. Strategic Vision and Customer Service. To achieve      efficient and make better use of resources under\nits objectives as a 21st Century information process-     its control. More recently, the Public Printer noted\ning and dissemination operation, GPO management           that a future based on environmental sustainabil-\nmust maintain the appropriate focus, staffing, and        ity is more than simply going green, but rather \xe2\x80\x9cit\nalignment with the Agency Strategic Vision. The cul-      means expanding our digital operations and mak-\nture and focus of customer service efforts must reflect   ing changes in paper, inks, equipment configura-\na new way of thinking, and customers should come          tions, and energy sources so that we can support\nto GPO because they want\xe2\x80\x94not because they must.           our customers in Congress, Federal agencies, and\nTransformation of the traditional GPO customer\nrelationship requires a continuing evolution toward\nstate-of-the-art customer relations management.\n      In line with its Strategic Vision, GPO previously\nreorganized several business units to better serve its\nGovernment customers. Such a realignment of busi-\nness units was initiated to help streamline processes,\nstrengthen customer relationships, and develop new\nsales opportunities. GPO should continue its efforts\nto enhance business development and customer ser-\nvice and measure their level of success to ensure a\nculture of continuous improvement.\n      Nevertheless, after almost 6 years, the Agency\xe2\x80\x99s\nStrategic Vision, which was issued on December 4,\n2004, and included a Business Plan from FY 2005\nthrough 2009, is itself in need of review and updat-\ning. The Agency should review its transforma-\ntional efforts thus far to measure its accomplish-\nments, its shortcomings, and its renewed vision for\nthe future. Senior management developed a draft\nupdate to the Agency\xe2\x80\x99s Strategic Vision in May 2010\nthat included nine strategic goals, which included\n\n\n\n                                                          S e m i a n n u a l r e p o r t t o c o n g r e ss      19\n\x0c     the public in a more efficient and environmentally                    Although not required to adhere to the Executive\n     responsible way.\xe2\x80\x9d                                               Order, we urge that management adopt its tenets and\n           We reported in our previous semiannual report             develop written policies for purchasing environmen-\n     that GPO was printing the Congressional Record on               tally sustainable goods and services, monitor com-\n     paper comprised of 100-percent post-consumer                    pliance annually and fix shortcomings, and provide\n     waste. GPO is also printing the Federal Register on             training on making purchases that are environmen-\n     100-percent post-consumer waste paper. And prog-                tally sound and comply with the spirit of the order.\n     ress continues on other initiatives, including moving           These and other stewardship initiatives will require\n     from Web offset presses to digital equipment, devel-            a top-to-bottom and bottom-to-top commitment.\n     oping a chemical inventory management system, and               Employee empowerment and training will be abso-\n     reducing landfill waste.                                        lutely necessary for the Agency to achieve its goals\n           We continue to encourage management and                   and sustain them.\n     Congress to renew their efforts to evaluate a new                     We noted in our previous report that GPO\xe2\x80\x99s\n     facility that would more appropriately meet Agency              environmental executive recommended to the OIG\n     needs and be more energy efficient. A more energy               issues to explore with the GPO legislative branch\n     efficient and environmentally conscious facility                counterparts. Those recommendations include\n     not only fits with the Agency\xe2\x80\x99s environmental stew-             the following:\n     ardship initiative but also meets the environmen-               \xe2\x97\x8f\t consolidating waste-hauling contracts to obtain\n\n     tal and economic objectives for Congress and the                   a more favorable rate for recycled goods as well as\n     Administration.                                                    ensure that each agency can participate in recy-\n           We also encourage management to promote and                  cling efforts.\n     incorporate green thinking into all business processes\n                                                                     \xe2\x97\x8f\t consolidating standard goods purchasing, such as\n     through performance metrics, reward programs, and\n                                                                        cafeteria supplies, cleaning chemicals, and paper\n     other means. For example, the OIG urges an integrated\n                                                                        (in all its forms), to reduce cost and ensure each\n     approach to green acquisition. In October 2009, the\n                                                                        agency is using the \xe2\x80\x9cgreenest\xe2\x80\x9d products available.\n     President issued Executive Order 13514, which sets\n                                                                     \xe2\x97\x8f\t sharing service contracts to achieve economies\n     sustainability goals for Federal agencies and focuses\n     on making improvements in their environmental,                     of scale and uniformity throughout the legislative\n     energy, and economic performance. In particular,                   branch agencies.\n     the Executive Order advances sustainable acquisition                  The legislative branch OIGs have reviewed the\n     by ensuring that 95 percent of new contract actions             issues and are exploring crosscutting review oppor-\n     including task and delivery orders for products and             tunities. We again encourage that management\n     ser v ices (w it h t he excep-                                                            address those issues directly\n     tion of acquisition of weapon               We   continue    to encourage                 with officials in other legisla-\n     systems) are energ y-ef f i-             management and Congress to                       tive branch agencies.\n     cient (such as Energy Star or                                                                  We included in our work\n     Federal Energy Management\n                                              renew     their efforts  to evaluate             plan  a review of energy use at\n     Program designated), water-              a new facility that would more                   GPO to determine whether a\n     efficient, bio-based, envi-                                                               comprehensive plan exists for\n                                            appropriately meet Agency needs\n     ronmentally preferable (for                                                               implementing energy-related\n     example, Electronic Product               and    be more   energy    efficient.           projects, as part of an overall\n     Environmental Assessment                                                                  plan that helps reduce emis-\n     Tool certified), non-ozone depleting, contain recy-             sions, energy consumption, and energy costs. We\n     cled content, or are non-toxic or less-toxic alternatives,      look forward to working with Agency personnel in\n     where such products and services meet an agency\xe2\x80\x99s               achieving a long-term and sustainable environmen-\n     performance requirements.                                       tal stewardship program.\n\n\n\n20   Off i c e o f I n s p e c t o r G e n e r a l\n\x0co f f i c e o f au d i t s\na n d inspections\n\n\n\n\nA\n         s the IG Act requires, OAI conducts independent and objective\n         performance and financial audits relating to GPO operations\n         and programs, and oversees the annual financial statement\naudit an IPA firm conducts. OAI also conducts short-term inspections\nand assessments of GPO activities, which generally focus on issues\nlimited in scope and time. OIG audits are performed in accordance\nwith generally accepted government auditing standards that the\nComptroller General of the United States issues. When requested, OAI\nprovides accounting and auditing assistance for both civil and crimi-\nnal investigations. OAI refers to OI for investigative consideration any\nirregularities or suspicious conduct detected during audits, inspec-\ntions, or assessments.\n\n\nA . Summary of Audit and\nInspection Activit y\nDuring this reporting period, OAI issued three new reports. OAI also\ncontinued its work with management to close open recommenda-\ntions carried over from previous reporting periods. As of September\n30, 2010, a total of 48 recommendations from previous reporting peri-\nods remain open.\n\n\nB. Financial Statement Audit\nFederal law requires that GPO obtain an independent annual audit of\nits financial statements, which the OIG oversees. KPMG is conduct-\ning the FY 2010 audit under a multiyear contract for which OAI serves\nas the Contracting Officer\xe2\x80\x99s Technical Representative (COTR). The\noversight provided ensures that the audit complies with Government\nAudit Standards. OAI also assists with facilitating the external audi-\ntor\xe2\x80\x99s work as well as reviewing the work performed. In addition, OAI\nprovides administrative support to KPMG auditors and coordinates\nthe audit with GPO management. OIG oversight of KPMG, as differen-\ntiated from an audit in accordance with Government Audit Standards,\n\n\n\n\n                 S e m i a n n u a l r e p o r t t o c o n g r e ss        21\n\x0c     is not intended to enable us to express, and therefore      schedule risks, the report discusses issues and con-\n     we do not express, an opinion on GPO\xe2\x80\x99s financial            cerns addressed in previous quarterly reports. The\n     statements, the effectiveness of internal controls, or      issues and concerns were already encompassed by\n     compliance with laws and regulations.                       open recommendations provided to the PMO in pre-\n          KPMG previously issued an unqualified opin-            vious IV&V Quarterly Reports.\n     ion on GPO\xe2\x80\x99s FY 2009 financial statements, stating\n     that the Agency\xe2\x80\x99s financial statements were fairly          2. Assessment Report 10 \xe2\x80\x93 08\n                                                                 (Issued September 16, 2010)\n     presented, in all material respects, and in confor-\n     mity with generally accepted accounting principles.         Federal Digital System (FDsys) Independent Verifi-\n     KPMG identified two significant deficiencies, which it      cation and Validation \xe2\x80\x93 Twelfth Quarter Report on\n     did not consider to material weaknesses. Those defi-        Risk Management, Issues, and Traceability\n     ciencies were: (1) financial reporting controls and (2)     The twelfth quarterly report on FDsys covers the\n     IT general and application controls.                        period from April 7, 2010, through July 30, 2010. The\n          During this reporting period, KPMG began work          period covered for this report was extended from\n     on the audit of GPO\xe2\x80\x99s 2010 consolidated financial           June 30 to July\xc2\xa030 in order to include responses from\n     statements.                                                 the FDsys PMO to the OIG\xe2\x80\x99s request for information\n                                                                 related to the first public FDsys Program Review.\n     C. Audit and Inspection Reports                             During this period, IV&V did not identify any new\n                                                                 technical, cost, or schedule risks. As a result, we did\n     1. Assessment Report 10 \xe2\x80\x93 07                                not make any new recommendations. The report\n     (Issued June 18, 2010)                                      does, however, discuss several issues worth noting as\n     Federal Digital System (FDsys) Independent Veri-            the PMO implements the remaining efforts to com-\n     fication and Validation \xe2\x80\x93 Eleventh Quarter Report           plete Release 1. For example, IV&V identified that:\n     on Risk Management, Issues, and Traceability                \tAs of July 28, 2010, the PMO identified a total of 155\n                                                                 \xe2\x97\x8f\n\n\n     The FDsys program is intended to modernize the               Program Tracking Reports (PTRs) that need resolv-\n     information collection, processing, and dissemina-           ing to complete Release 1 and sunset GPO Access.\n     tion capabilities GPO performs for the three branches        Resolving those 155 PTRs would result in at least 565\n     of the Federal Government. During this reporting             remaining open in various states (for example, Sub-\n     period, the OIG continued to oversee the efforts of          mitted, In Analysis, In Work) when FDsys replaces\n     American Systems as it conducted IV&V for the public         GPO Access as GPO\xe2\x80\x99s electronic system of record.\n     release of FDsys. As part of its contract with the OIG,     \t Seventy-four system requirements that are \xe2\x80\x9cNot\n                                                                 \xe2\x97\x8f\n\n\n     American Systems is assessing the state of program            Implemented\xe2\x80\x9d were assigned the status \xe2\x80\x9cNeed for\n     management, technical and testing plans, and other            Release 1 Completion.\xe2\x80\x9d Of the 74 requirements, 26\n     efforts related to the rollout of Release 1. The contract     also had associated PTRs. Of the 26 requirements,\n     requires that American Systems issue to the OIG a             18 appear to have been implemented because their\n     quarterly Risk Management, Issues, and Traceability           associated PTRs were resolved. The other eight\n     Report, providing observations and recommenda-                requirements in this group were linked to PTRs but\n     tions on the program\xe2\x80\x99s technical, schedule, and cost          not included in a July 28, 2010, list of critical PTRs\n     risks as well as requirements traceability of those           that must be fixed to sunset GPO Access. Thus, it\n     risks and the effectiveness of the program manage-            was not clear whether the PMO intended to resolve\n     ment processes in controlling risk avoidance.                 these eight as part of the FDsys Release 1 product\n          This eleventh quarterly report covers the period         targeted for the end of FY 2010.\n     from January 1, 2010, through April 6, 2010. Although       \tThe other 48 requirements \xe2\x80\x9cNot Implemented\xe2\x80\x9d\n                                                                 \xe2\x97\x8f\n\n     IV&V did not identify any new technical, cost, or            with a status of \xe2\x80\x9cNeed for Release 1 Completion\xe2\x80\x9d\n\n\n\n\n22   Off i c e o f I n s p e c t o r G e n e r a l\n\x0c    had not been assigned to PTRs. Since the Release\n    1 Completion schedule did not contain a specific\n    task to resolve them, it is unknown if their fixes\n    had already been or would be implemented in the\n    Release 1 time frame.\n\xe2\x97\x8f\tThe PMO has made substantial progress toward\n  completion of Release 1. The schedule, which is\n  being maintained on a weekly basis, indicates\n  that the Release 1 effort is 58-percent complete.\n  However, the schedule also indicates that signifi-\n  cant efforts, specifically those related to the final\n  verification of the system, are incomplete.\n    Recommendations provided to the PMO, which\naddress the concerns identified, were provided by\nIV&V in earlier Quarterly Reports.\n\n3. Assessment Report 10 \xe2\x80\x93 09\n(Issued September 20, 2010)\n\nWebTrust Assessment of GPO\xe2\x80\x99s Public Key\nInfrastructure Certification Authority \xe2\x80\x93\nAttestation Report\nGPO implemented a PKI to support its \xe2\x80\x9cborn digital\nand published to the web\xe2\x80\x9d methodology to meet GPO\ncustomer expectations of being official and authen-\ntic. The GPO PKI also directly supports GPO\xe2\x80\x99s mis-\nsion related to electronic information dissemination\nand e-Government. The GPO Certification Authority\n(CA) issues, signs, and manages the public key cer-\ntificates in secure facilities based in Washington,\nD.C. The GPO PKI is cross-certified with the Federal\nBridge Certificate Authority (FBCA). FBCA certifica-      controls over its CA operations is fairly stated based\ntion provisions require that the GPO PKI undergo an       on underlying principles and evaluation criteria.\nannual compliance review.                                     The scope of the assessment included the fol-\n      To satisfy this compliance requirement, the         lowing entities involved with operating the GPO CA:\nOIG tasked Ernst & Young to conduct a WebTrust\n                                                          \tCA policies and procedures\n                                                          \xe2\x97\x8f\nassessment of its CA. The assessment, for the period\nof July 1, 2009, through June 30, 2010, was con-          \tRegistration authorities\n                                                          \xe2\x97\x8f\n\n\nducted in accordance with the American Institute          \tCA and repository\n                                                          \xe2\x97\x8f\n\n\nof Certified Public Accountants (AICPA) WebTrust          \tCA supporting systems, databases, and PKI facilities\n                                                          \xe2\x97\x8f\n\nPrinciples and Criteria for Certificate Authorities\n                                                               The assessment also measured CA compliance\na nd Statement on Sta nda rds for At testat ion\n                                                          with reporting requirements of the Federal Public\nEngagements (SSAE) Number 10. The assessment\n                                                          Key Infrastructure Policy Authority.\nrepresents an evaluation of whether GPO\xe2\x80\x99s asser-\n                                                               As a result of work performed, Ernst & Young\ntion related to the adequacy and effectiveness of\n                                                          issued an attestation report expressing its unqualified\n\n\n\n\n                                                          S e m i a n n u a l r e p o r t t o c o n g r e ss        23\n\x0c     opinion that management\xe2\x80\x99s assertion related to the ade-        (4) calculation and administration of bi-weekly\n     quacy and effectiveness of controls over its CA opera-         and annual earnings limits and salary caps; and\n     tions was, in all material respects, fairly stated based       (5) calculation, payment, and administration of\n     on the AICPA WebTrust for CA Criteria.                         the GPO Goal Sharing Program.\n                                                                \tAn audit of the Secure Card Personalization Sys-\n                                                                \xe2\x97\x8f\n\n\n\n     D. Ongoing Work                                             tem\xe2\x80\x99s (SECAPS) IT Security Controls will deter-\n                                                                 mine whether a requisite level of IT security con-\n     OAI has several audits and assessments ongoing              trols was applied to help ensure data integrity, data\n     whose results should be published during the next           confidentiality, and system availability.\n     reporting period. Those assignments include:\n     \tAn audit of\xc2\xa0GPO\xe2\x80\x99s Administration of the FDsys\n     \xe2\x97\x8f\n                                                                E . Status of Open\n      Master Integrator Contract will determine\xc2\xa0whether         Recommendations\n      GPO effectively administered the contract. The\n      audit will specifically determine whether\xc2\xa0GPO             Management officials made progress in implement-\n      adhered to the Materials Management Acquisi-              ing and closing many of the recommendations iden-\n      tion Regulation\xc2\xa0and other applicable laws, rules,         tified during previous semiannual reporting periods.\n      regulations, and guidance related to (1)\xc2\xa0con-             For the 48 recommendations still open, a summary\n      tract\xc2\xa0award; (2)\xc2\xa0monitoring of contract perfor-           of the findings and recommendations, along with the\n      mance; (3) contract modifications; (4) verification       status of actions for implementing the recommenda-\n      of costs incurred; and (5) contract closeout.             tion and OIG comments, follows.\n\n     \tAn audit of the GPO Express Program will evaluate\n     \xe2\x97\x8f\n                                                                1. Assessment Report 06\xe2\x80\x93 02\n      management controls over the program, including           (Issued March 28, 2006)\n      whether (1) GPO Express cards were adequately\n                                                                GPO Network Vulnerability Assessment\n      controlled and issued, (2) contract terms between\n      FedEx Kinkos and GPO were complied with, and              F i n di ng\n      (3) revenues reflected program activity.                  Although GPO has many enterprise network controls in\n     \tAn audit of Control and Accountability of Lap-\n     \xe2\x97\x8f                                                          place, improvements that will strengthen the network\n      top Computers will determine whether (1) GPO              security posture are needed. During internal testing, we\n      could account for all Agency laptop purchases and         noted several vulnerabilities requiring strengthening of\n      (2)\xc2\xa0controls were in place to prevent the theft or loss   controls. However, no critical vulnerabilities were iden-\n      of laptops.                                               tified during external testing. Although unclassified,\n     \tAn audit of the GPO Ethics Program will deter-\n     \xe2\x97\x8f\n                                                                we consider the results of the assessment sensitive and,\n      mine whether (1) GPO complied with applicable             therefore, limited discussion of its findings.\n      Federal ethics guidance, and (2) the ethics pro-          R e c om m e n dat ion\n      gram at GPO was consistent with Federal Govern-           The OIG made four recommendations that should\n      ment best practices.                                      strengthen internal controls associated with the GPO\n     \t Senior management requested that the OIG assess\n     \xe2\x97\x8f\n                                                                enterprise network. Those recommendations should\n       compliance of GPO\xe2\x80\x99s payroll operations with appli-       reduce the risk of compromise to GPO data and systems.\n       cable laws, rules, and regulations. The audit will       M a n ag e m e n t C om m e n t s\n       determine whether GPO complied with applicable           Management concurred with each recommendation\n       guidance related to the (1)\xc2\xa0request and approval of      and initiated corrective action.\n       Leave Without Pay (LWOP); (2) request, approval,         OIG C om m e n t s\n       calculation, and administration of advanced              One recommendation made in this report remains open.\n       annual leave; (3) request, approval, calculation,        Implementation of corrective action is still ongoing.\n       and administration of daily and weekly overtime;\n\n\n\n24   Off i c e o f I n s p e c t o r G e n e r a l\n\x0c2. Assessment Report 08 \xe2\x80\x9312                             R e c om m e n dat ion\n(Issued September 30, 2008)                             The OIG made two recommendations to management\n                                                        that would enhance planning for the IPv6 transition.\nAssessment of GPO\xe2\x80\x99s Transition Planning for Inter-\nnet Protocol Version 6 (IPv6)                           M a n ag e m e n t C om m e n t s\n                                                        Management concurred with each recommendation\nF i n di ng                                             and has either taken or planned to take responsive\nThe OIG assessed Agency planning for transi-            corrective actions.\ntion from Internet Protocol version 4 (IPv4) to ver-\n                                                        OIG C om m e n t s\nsion 6 (IPv6). Internet routing protocols are used\n                                                        One recommendation remains open. The recom-\nto exchange information across the Internet.\n                                                        mendation remains open pending completion of\nProtocols are standards that define how computer\n                                                        GPO\xe2\x80\x99s ongoing infrastructure refresh.\ndata are formatted and received by other comput-\ners. IPv6 is a developing Internet protocol that pro-   3. Assessment Report 09 \xe2\x80\x93 01\nvides benefits such as more Internet addresses,         (Issued November 4, 2008)\nhigher qualities of service, and better authentica-\n                                                        Federal Digital System (FDsys) Independent Verifi-\ntion, data integrity, and data confidentiality. The\n                                                        cation and Validation (IV&V) - Fourth Quarter Re-\nOIG assessment identified that GPO plans to tran-\n                                                        port on Risk Management, Issues, and Traceability\nsition to IPv6 as part of a broad acquisition plan\nthat will update its IT infrastructure. The Agency      F i n di ng\nhas not finalized target dates for the updates. The     The OIG contracted with American Systems, a com-\nOIG believes that the planned transition is an          pany with significant experience in the realm of IV&V\neffective long-term approach. In the short term,        for Federal civilian and Defense agencies, to conduct\nhowever, GPO should consider implementing               IV&V for the first public release of FDsys. As part of\nthe minimum IPv6 requirements, which should             its contract, the contractor is assessing the state of\nensure that resources such as FDsys are capable of      program management, technical and testing plans,\ningesting information from IPv6 sources.                and other efforts related to this public release. The\n\n\n\n                                                        S e m i a n n u a l r e p o r t t o c o n g r e ss       25\n\x0c     contractor is required to issue to the OIG a quarterly\n     Risk Management, Issues, and Traceability Report\n     providing observations and recommendations on the\n     program\xe2\x80\x99s technical, schedule and cost risks, as well\n     as requirements traceability of those risks and the\n     effectiveness of the program management process in\n     controlling risk. During the period this report covers,\n     GPO launched a public beta version of FDsys contain-\n     ing a limited number of collections. This fourth quar-\n     terly report provides an overview of the key risks and    nonconcurred with three. Management proposed\n     issues identified by the FDsys IV&V team from April       responsive corrective actions to six of the recom-\n     through June 2008, including security requirements        mendations. Although we disagreed with man-\n     and risk management.                                      agement\xe2\x80\x99s position on the remaining four recom-\n     R e c om m e n dat ion                                    mendations, we accepted management\xe2\x80\x99s proposed\n     The OIG made five recommendations to manage-              alternative corrective actions.\n     ment intended to further strengthen management            OIG C om m e n t s\n     of the FDsys program.                                     Three recommendations remain open. Management\n     M a n ag e m e n t C om m e n t s                         continues to take responsive actions to implement\n     Management concurred with each recommendation             the three open recommendations.\n     and proposed responsive corrective actions.\n                                                               5. Assessment Report 09 \xe2\x80\x93 07\n     OIG C om m e n t s                                        (Issued March 20, 2009)\n     Two recommendations remain open. Management\n     continues to work on implementing corrective              Federal Digital System (FDsys) Independent\n     actions for the three open recommendations.               Verification and Validation (IV&V) \xe2\x80\x93\n                                                               Sixth Quarter Report on Risk Management,\n     4. Assessment Report 09 \xe2\x80\x93 03                              Issues, and Traceability\n     (Issued December 24, 2008)\n                                                               F i n di ng\n     Federal Digital System (FDsys) Independent                This sixth quarterly report provides an overview of\n     Verification and Validation (IV&V) \xe2\x80\x93 Fifth Quarter        the key risks and issues identified by the FDsys IV&V\n     Report on Risk Management, Issues, and Traceability       team from October 2008 through January 9, 2009,\n                                                               including security and the state of program activities\n     F i n di ng\n                                                               required for deployment as well as technical, sched-\n     This fifth quarterly report provides an overview of\n                                                               ule, and cost risks.\n     the key risks and issues identified by the FDsys IV&V\n     team from July through September 2008, including          R e c om m e n dat ion\n     those related to the FDsys detail design, and system      The OIG made four recommendations intended\n     integration testing as well as technical, schedule, and   to further strengthen management of the FDsys\n     cost risks the program faces.                             program.\n     R e c om m e n dat ion                                    M a n ag e m e n t C om m e n t s\n     The OIG made 10 recommendations to management             Management concurred with each recommendation\n     intended to further strengthen management of the          and proposed responsive corrective actions.\n     FDsys program.                                            OIG C om m e n t s\n     M a n ag e m e n t C om m e n t s                         Three recommendations remain open. Management\n     Management concurred with six of the recom-               continues to take responsive actions to implement\n     mendations, partially concurred with one, and             the three open recommendations.\n\n\n\n26   Off i c e o f I n s p e c t o r G e n e r a l\n\x0c6. Assessment Report 09 \xe2\x80\x9312                               M a n ag e m e n t C om m e n t s\n(Issued September 30, 2009)                               Management generally concurred with each recom-\n                                                          mendation with the exception of one and proposed\nFederal Digital System (FDsys) Independent\n                                                          responsive corrective actions for each.\nVerification and Validation (IV&V) \xe2\x80\x93 Seventh\nQuarter Report on Risk Management, Issues,                OIG C om m e n t s\n\nand Traceability                                          A total of 17 recommendations remain open. The\n                                                          OIG and IV&V continue to monitor the status of their\nF i n di ng                                               implementation.\nThis seventh quarterly report for the period January\n1, 2009, through May 8, 2009, identifies critical tech-   7. Assessment Report 10 \xe2\x80\x93 01\nnical, schedule, and cost risks for the FDsys Program.    (Issued December 2, 2009)\nThe report provides a high-level overview of the key      Federal Digital System (FDsys) Independent\nrisks and issues that IV&V identified during the          Verification and Validation \xe2\x80\x93 Ninth Quarter\nreporting period. The report also discusses IV&V          Report on Risk Management, Issues,\nassessments covering FDsys security and the state         and Traceability\nof program activities required for deployment per-\nformed over the same time period.                         F i n di ng\n                                                          This ninth quarterly report for the period July 1,\nR e c om m e n dat ion\n                                                          2009, through September 30, 2009, identifies criti-\nThe OIG made 25 recommendations designed to\n                                                          cal technical, schedule, and cost risks for the FDsys\nstrengthen FDsys program management, particu-\n                                                          Program. The report provides a high-level overview\nlarly for future FDsys releases.\n\n\n\n\n  Search Government Publications                                                                    beta\n                                                                                 Advanced Search\n                                                                                 Retrieve by Citation\n                                                               SEARCH            Help\n\n\n\n  GPO\xe2\x80\x99s Federal Digital System (FDsys) provides public access to\n  Government information submitted by Congress and Federal\n  agencies and preserved as technology changes.\n                                                                               For more information on FDsys.\n\n\n\n\n                                                          S e m i a n n u a l r e p o r t t o c o n g r e ss      27\n\x0c     of the key risks and issues that IV&V identified dur-\n     ing the reporting period. The report also discusses\n     IV&V assessments covering FDsys security and the\n     state of program activities required for deployment\n     performed over the same time period.\n     R e c om m e n dat ion\n     The OIG made a total of 11 recommendations.\n     M a n ag e m e n t C om m e n t s\n     Management generally concurred with the recom-\n     mendations and has either taken or proposed respon-\n     sive corrective actions.\n     OIG C om m e n t s\n     Four recommendations remain open. The OIG and IV&V\n     continue to monitor the status of their implementation.\n                                                               additional improvements are needed. In addition,\n     8. Assessment Report 10 \xe2\x80\x93 03\n     (Issued January 12, 2010)                                 many of the weaknesses identified during the FY\n                                                               2007 baseline assessment still exist.\n     GPO\xe2\x80\x99s Compliance with the Federal Information\n                                                               R e c om m e n dat ion\n     Security Management Act\n                                                               The OIG made a total of 21 recommendations, which,\n     F i n di ng                                               if implemented, will help further move GPO toward\n     FISMA requires that each executive branch agency          FISMA compliance.\n     develop, document, and implement an agency-wide           M a n ag e m e n t C om m e n t s\n     program for providing information security for the        GPO Management concurred with each recom-\n     information and information systems that support          mendation and proposed responsive corrective\n     the operations and assets of the agency, including        actions.\n     those provided or managed by another agency, con-\n                                                               OIG C om m e n t s\n     tractor, or other source. Although a legislative branch\n                                                               Management continues to work with the OIG to\n     agency, GPO recognizes the need to be FISMA com-\n                                                               implement corrective actions on the remaining 14\n     pliant because of the services it provides, including\n                                                               open recommendations.\n     services to executive branch agencies.\n          In FY 2007, the OIG contracted with a consult-       9. Assessment Report 10 \xe2\x80\x93 05\n     ing firm to perform a baseline assessment of GPO\xe2\x80\x99s        (Issued March 24, 2010)\n     FISMA compliance and to evaluate the design and\n                                                               Federal Digital System (FDsys) Independent\n     effectiveness of the controls over GPO\xe2\x80\x99s informa-\n                                                               Verification and Validation (IV&V) \xe2\x80\x93\n     tion security program, policies, and practices. We\n                                                               Tenth Quarter Report on Risk Management, Issues,\n     completed a full FISMA assessment in FY 2009. The\n                                                               and Traceability\n     assessment was performed using the most recent\n     applicable FISMA requirements and guidelines              F i n di ng\n     published by OMB and the National Institute of            The tenth quarterly report identifies a number of\n     Standards and Technology. Significant emphasis            technical risks associated with FDsys development\n     was placed on evaluating the GPO systems used             practices, system engineering, COOP, existing PTRs,\n     for providing services to client agencies. The OIG        and the FDsys test program. American Systems iden-\n     issued a sensitive report concluding that GPO made        tified schedule and cost risks associated with these\n     some progress in complying with FISMA, but that           technical risks.\n\n\n\n\n28   Off i c e o f I n s p e c t o r G e n e r a l\n\x0cTable of Open Recommendations\n                                                                  Number of Open                    Number of\n    Audit\n                                                                 Recommendations                 Months Open\n\n\n    06\xe2\x80\x9302 GPO Network Vulnerability Assessment                                        1                      54\n\n\n\n    08\xe2\x80\x9312 Assessment of GPO\xe2\x80\x99s Transition Planning for\n                                                                                      1                      24\n    Internet Protocol Version 6 (IPv6)\n\n\n    09\xe2\x80\x9301 Federal Digital System (FDsys) Independent\n    Verification and Validation (IV&V) - Fourth Quarter Report                        2                      22\n    on Risk Management, Issues, and Traceability\n\n\n    09\xe2\x80\x9303 FDsys IV&V \xe2\x80\x93 Fifth Quarter Report on Risk\n                                                                                      3                      21\n    Management, Issues, and Traceability\n\n\n    09\xe2\x80\x9307 FDsys IV&V \xe2\x80\x93 Sixth Quarter Report on Risk\n                                                                                      3                      18\n    Management, Issues, and Traceability\n\n\n    09\xe2\x80\x9312 Federal Digital System (FDsys) Independent Veri-\n    fication and Validation (IV&V) \xe2\x80\x93 Seventh Quarter Report                       17                         12\n    on Risk Management, Issues, and Traceability\n\n\n    10\xe2\x80\x9301 FDsys IV&V \xe2\x80\x93 Ninth Quarter Report on Risk\n                                                                                      4                        9\n    Management, Issues, and Traceability\n\n\n     10\xe2\x80\x9303 GPO\xe2\x80\x99s Compliance With the Federal Information\n                                                                                  14                           8\n     Security Management Act\n\n\n     10\xe2\x80\x9305 10\xe2\x80\x9301 FDsys IV&V \xe2\x80\x93 Tenth Quarter Report on\n                                                                                      3                        6\n     Risk Management, Issues, and Traceability\n\n\n\n\nR e c om m e n dat ion                                           inputs and PMO requirements. As a result, those\nA total of six recommendations were made to                      two recommendations were no longer considered\nmanagement and were designed to mitigate risks                   applicable as a result of the change in develop-\nand strengthen overall management of the FDsys                   ment approach because the PMO does not intend\nprogram.                                                         to define a final system and completion date. Of the\nM a n ag e m e n t C om m e n t s                                remaining four recommendations, three were unre-\nTwo of the report\xe2\x80\x99s recommendations were subse-                  solved because of inadequate proposed actions by\nquently closed as a result of the FDsys program\xe2\x80\x99s                management.\ndecision to transition to an open-ended devel-                   OIG C om m e n t s\nopment effort with objectives (for example, new                  Three recommendations remain open as of the end\nfunctionality) that will be defined by stakeholder               of this reporting period.\n\n\n\n                                                                 S e m i a n n u a l r e p o r t t o c o n g r e ss     29\n\x0c\x0c  office of\n  i n v e s t i g at i o n s\n\n\n\n\nO\n           I conducts and coordinates investigative activity related to\n           fraud, waste, and abuse in GPO programs and operations.\n           While concentrating our efforts and resources on major fraud\ninvestigations, the activities investigated can include possible wrongdo-\ning by GPO contractors, employees, program participants, and others\nwho commit crimes against GPO.\n      Investigations that uncover violations of Federal law or GPO rules or\nregulations may result in administrative sanctions, civil action, and/or\ncriminal prosecution. Prosecutions may result in court-imposed prison\nterms, probation, fines, or restitution. OI may also issue Management\nImplication Reports (MIRs), which detail investigative findings that war-\nrant management\xe2\x80\x99s prompt attention.\n      OI is responsible for investigations at all GPO locations, including\nits 15 Regional Printing Procurement Offices (RPPOs) nationwide. OI\nalso maintains a liaison with the GPO Security Services and Uniform\nPolice Branch to coordinate efforts impacting law enforcement pro-\ngrams. Liaison is also maintained with DOJ, the OIG community, and\nother investigative agencies and organizations.\n\n\nA . Summary of Inve stigative Activit y\nAt the end of last reporting period, 22 complaints were open. OI\nopened 24 new complaint files this period, 10 complaints were con-\nverted to full investigations, and 10 were closed after preliminary\nreview with no action. Additionally, nine complaints were referred to\nGPO management. At the end of the reporting period, 17 complaints\nremained open.\n     At the end of the last reporting period, 33 investigations were open.\nDuring this reporting period, eight investigations were closed, and\neight investigations were opened. Three of the closed investigations\nwere referred to GPO management for potential administrative action.\nAt the end of the reporting period, 33 investigations were ongoing.\n     During this reporting period, OI made nine presentations to DOJ\nofficials. These presentations resulted in five criminal declinations,\n\n\n\n\n                   S e m i a n n u a l r e p o r t t o c o n g r e ss         31\n\x0c     one criminal acceptance, and one civil accep-                 Other Investigations\n     tance. Decisions by DOJ officials are pending on the          OI conducts other types of investigations that do not\n     remaining two.                                                fall into one of the categories above. Examples of such\n         Four IG subpoenas were issued during this                 investigations include unauthorized use/access to\n     period. Documents requested included financial                GPO systems and requests for investigations by out-\n     records, bid preparations, and agreements among               side entities. OI has nine open investigative matters\n     contractors and/or affiliated companies.                      involving allegations of those types.\n\n\n     B. T ype s of Ca se s                                         C. Summary of Inve stigative\n                                                                   Accomplishments\n     Procurement Fraud\n     OI is responsible for identifying and investigating            Criminal and Civil Cases\n     wrongdoing by GPO contractors or employees during              \xe2\x97\x8f\tAs previously reported, an OI investigation found\n\n     the administration of GPO contracts. Violations can              evidence that a GPO printing contractor failed to\n     include false statements, false claims, product substitu-        comply with critical contract specifications and\n     tion, collusive bidding, bribery, kickbacks, and financial                           submitted at least 10 invoices\n     conflicts of interest. In FY 2009,                                                   to GPO. Under GPO contract\n     GPO procured more than $675            The inventory of procurement fraud\n                                                                                          terms, Publication 310.2,\n     million in goods and services                 complaints/investigations              Clause 24(b), submission of\n     through contracting. With such\n                                             represents more than 50 percent of           any invoice for work com-\n     vulnerability in mind, OI has                                                        pleted under a GPO contract\n     continued to develop investiga-                   our active caseload.\n                                                                                          is a certification that the work\n     tions in the area of procurement                                 was completed in accordance with contract terms.\n     fraud. The inventory of procurement fraud complaints/            The case was accepted for action by DOJ and on\n     investigations represents more than 50 percent of our            June 7, 2010, and the contractor agreed to pay a\n     active caseload. Including allegations in complaint sta-         $25,000 settlement of U.S. penalty claims without\n     tus, OI has 26 open procurement matters.                         admitting wrongdoing or liability. Final debar-\n     Workers\xe2\x80\x99 Compensation Fraud                                       ment action against the contractor is pending.\n\n     OI investigates GPO employees who allegedly submit            \t OI continues an investigation into allegations of\n                                                                   \xe2\x97\x8f\n\n\n     false claims or make false statements to receive work-          false statements, false claims, forgery, and/or bid\n     ers\xe2\x80\x99 compensation benefits. We are working on five              collusion by GPO print vendors. OI has the assis-\n     investigative matters (complaints and investigations)           tance of the DOJ Antitrust Division, which is in the\n     involving possible fraudulent claims for workers\xe2\x80\x99               process of negotiating a criminal plea agreement\n     compensation. Two of those cases are being worked               with one of the subjects involved.\n     jointly with the Office of Inspector General for the          \tOI continues an investigation of allegations relat-\n                                                                   \xe2\x97\x8f\n\n     Department of Labor.                                           ing to false statements and/or false claims to GPO.\n     Employee Misconduct                                            The DOJ Antitrust Division is evaluating this case\n                                                                    for possible criminal and/or civil action.\n     OI investigates allegations involving GPO employee\n     misconduct. Allegations generally include false               \tAs previously reported, an investigation of a printing\n                                                                   \xe2\x97\x8f\n\n\n\n     statements, theft of Government property or funds,             contractor determined GPO paid more than $175,000\n     assaults, misuse of Government computers, drug                 after the company submitted delivery receipts and\n     violations, gambling, and travel voucher fraud. OI             invoices for payment, but the contractor failed to per-\n     has seven open investigations and three preliminary            form according to specifications and did not deliver\n     complaints involving alleged employee misconduct.              all products. Although DOJ previously declined the\n\n\n\n\n32   Off i c e o f I n s p e c t o r G e n e r a l\n\x0c    case for criminal prosecution, the case was accepted    \tAs previously reported, an OI investigation\n                                                            \xe2\x97\x8f\n\n\n    this reporting period for civil resolution. Coordina-    regarding the possible physical assault of a GPO\n    tion is ongoing with DOJ.                                contractor by a GPO employee was referred to\n\t We previously reported that an OI investigation of\n\xe2\x97\x8f\n                                                             agency management for administrative action.\n  overbilling by a GPO print contractor was accepted         The conduct of the employee toward the contrac-\n  for potential civil action by DOJ. The investiga-          tor (captured on surveillance video) was deemed\n  tion determined that from February 2002 until              inappropriate, and the employee received a 3-day\n  February 2004 the president of the company over-           suspension.\n  billed GPO approximately $499,000. During this            \t We previously reported that OI substantiated alle-\n                                                            \xe2\x97\x8f\n\n\n  reporting period, the supporting civil Assistant            gations that an employee was using GPO equip-\n  U.S. Attorney submitted a motion for default judg-          ment to copy and sell digital video discs (DVDs)\n  ment. Final adjudication is pending.                        during work hours. DOJ declined the matter, and\n                                                              OI referred the case to management for action. The\nInternal Administrative Cases\n                                                              Agency considered the behavior inappropriate and\n\tAs previously reported, OI investigated allegations\n\xe2\x97\x8f                                                             imposed a 3-day suspension.\n that a GPO employee used or attempted to use her           \tOI investigated allegations that a GPO employee\n                                                            \xe2\x97\x8f\n\n position for personal financial gain and to benefit         used a duplicate GPO identif ication badge\n close friends. This joint investigation with the DOJ        to engage in time and attendance fraud. The\n Public Integrity Section included numerous inter-           employee attempted to gain access to GPO using\n views, records reviews, and analysis by an inde-            an expired badge and when denied entry, pro-\n pendent subject matter expert. DOJ declined pros-           duced a valid badge that had been brought to her\n ecution and the investigative results were referred         by a co-worker. OI found that the employee did\n to management, who terminated the employee.                 in fact have two badges and that on at least three\n\n\n\n\n                                                            S e m i a n n u a l r e p o r t t o c o n g r e ss     33\n\x0c         occasions she had a co-worker perform a Produc-      External Administrative Cases\n         tion Reporting for Operations, Budgeting, and\n                                                              \t OI referred to GPO management information dis-\n                                                              \xe2\x97\x8f\n         Expenditures (PROBE) (a system used to record\n                                                                covered during an investigation of allegations that\n         daily employee time and attendance) transaction\n                                                                an individual was associated with several GPO print\n         with her valid badge 30 minutes before her arrival\n                                                                contractors and may have provided false informa-\n         at work. When interviewed, the subject of this\n                                                                tion on vendor applications submitted to GPO. The\n         investigation initially provided false statements\n                                                                investigation substantiated that although the indi-\n         to the GPO Uniform Police Branch and OI. She\n                                                                vidual was associated with the several GPO contrac-\n         ultimately confessed, however, after being con-\n                                                                tors, no evidence existed that the employee submit-\n         fronted with the evidence. This case was declined\n                                                                ted multiple bids from multiple contractors on the\n         by DOJ for prosecution and was referred to man-\n                                                                same solicitation.\n         agement for administrative action.\n                                                              \tOI also referred information to GPO manage-\n                                                              \xe2\x97\x8f\n     \tOI investigated suspicions that a GPO employee\n     \xe2\x97\x8f\n                                                               ment that an individual submitted two bids for\n      was dealing drugs and had a firearm on GPO prop-\n                                                               the same contract under the names of two differ-\n      erty. The investigation disclosed the employee had\n                                                               ent contractors. The investigation determined\n      recently been convicted of drug and weapons-\n                                                               that although neither contractor was awarded\n      related offenses. Although the investigation did\n                                                               the job, the individual was associated with sev-\n      not substantiate that the employee had been deal-\n                                                               eral GPO contractors. Further investigation did\n      ing drugs on GPO property, the employee was dis-\n                                                               not identify any other instances where the indi-\n      honest with investigators when questioned about\n                                                               vidual submitted two or more bids for the same\n      the circumstances of his drug arrest. As a result\n                                                               GPO solicitation.\n      of the drug conviction and his lack of candor, the\n      employee was terminated from his position with          \tAs a result of an investigation into allegations a\n                                                              \xe2\x97\x8f\n\n\n      the GPO. The employee appealed the removal, but          company was acting as a broker for at least four\n      in September 2010, the Merit Systems Protection          print contractors in violation of GPO Contract\n      Board upheld the removal.                                Terms, OI referred information to GPO manage-\n                                                               ment. OI found the company attempted to broker\n     \tAn OI investigation of a GPO employee determined\n     \xe2\x97\x8f\n                                                               at least one GPO contract; however, there was no\n      the individual, by her own admission, knowingly\n                                                               evidence the company had ever been awarded any\n      misused GPO\xe2\x80\x99s FedEx account to ship several pri-\n                                                               GPO contracts.\n      vate packages over the course of several years. The\n      misconduct resulted in minimal loss to GPO and          \t Finally, OI referred to the GPO Office of General\n                                                              \xe2\x97\x8f\n\n\n      DOJ declined the case for prosecution. The inves-         Counsel the findings of an investigation into alle-\n      tigation was subsequently referred to management          gations that a GPO contractor submitted invoices\n      who have proposed a 10-day suspension.                    to GPO before shipping the finished product to\n                                                                the customer. The investigation substantiated\n     \tOI investigated allegations that two GPO super-\n     \xe2\x97\x8f\n                                                                that the contractor submitted a false invoice\n      visors were unfairly and inequitably allocating\n                                                                indicating that the product had been shipped,\n      overtime hours to themselves. The investigation\n                                                                when in fact the materials were not shipped until\n      did not find evidence supporting the allegations,\n                                                                almost 3 weeks later.\n      but did determine the supervisors were working\n      substantive overtime hours to complete work that        Miscellaneous Cases\n      could be accomplished by their subordinates.\n                                                              \tOI investigated allegations by a GPO employee that\n                                                              \xe2\x97\x8f\n      Specific findings were referred to management\n                                                               she was wrongfully arrested by the GPO Uniform\n      and to OAI for evaluation as part of an ongoing\n                                                               Police Branch for assaulting another employee. The\n      audit of the GPO payroll system.\n                                                               arrested employee further alleged that the arrest was\n\n\n\n\n34   Off i c e o f I n s p e c t o r G e n e r a l\n\x0cracially biased and handled in an unprofessional         \xe2\x97\x8f   \tOI investigated allegations that a former OIG\nmanner. The OI investigation found no evidence                employee ordered and distributed seven sets\nthat the employee was wrongfully arrested. The Uni-           of honorary badges and credentials. OI became\nform Police Branch supervisor ordering the arrest             aware of the badges and credentials after being\ndiscussed the arrest with superiors and they agreed           contacted by a law enforcement official who\nwith the supervisor\xe2\x80\x99s decision to arrest the employee         retrieved one during execution of a search war-\nfor simple assault under D.C. Code \xc2\xa7 22-404. Fur-             rant. The subject of the search warrant informed\nther, OI did not find any indication of racial bias.          OI that he was asked by the former OIG employee\nThe findings of this investigation were also referred         to print some honorar y credentials. OI con-\nto Uniform Police Branch management, and it was               ducted numerous interviews and was able to\nrecommended that the Uniform Police Branch and                retrieve two more sets of honorary badges and\nthe Office of General Counsel work to expeditiously           credentials. The former employee was located in\napprove and implement General Orders and a Mem-               another state, but he was unwilling to cooperate\norandum of Understanding with the Washington,                 with OI. Ultimately, OI determined the disposi-\nD.C., Metropolitan Police Department. The OIG rec-            tion of the remaining four sets of credentials, but\nommended that management in the Uniform Police                because the former employee was unwilling to\nBranch address any conflicts between branch super-            cooperate, it could not identify the individuals\nvisors and subordinate officers to foster professional        to whom the badges and credentials were given.\nbehavior and clearly define a chain of command.               DOJ declined the case for prosecution.\n\n\n\n\n                                                         S e m i a n n u a l r e p o r t t o c o n g r e ss         35\n\x0c     D. Other Significant Activitie s                            how post-consumer waste paper becomes pulp\n                                                                 used as a component in the recycled paper used\n     We continue other efforts to improve our abil-\n                                                                 for Federal printing. The same OI and OAI per-\n     ities to detect, prevent, and investigate the loss of\n                                                                 sonnel then visited a paper mill and witnessed\n     Government assets. The following summarizes other\n                                                                 first hand how a modern paper mill operates. The\n     significant activities occurring in OI:\n                                                                 tour highlighted how paper mills alter produc-\n     \tMembers of OI and OAI staff attended train-\n     \xe2\x97\x8f\n                                                                 tion recipes to produce different paper types and\n      ing on paper specifications and testing that the           specifications. This tour familiarized OI and OAI\n      GPO Quality Control and Inventory Manage-                  personnel with the paper manufacturing process\n      ment Branch presented. The training focused on             and raw materials used.\n      how paper is produced and how different types\n                                                             \t Special Agents in OI are Federal Criminal Inves-\n                                                             \xe2\x97\x8f\n      and specifications of paper are coded by the Joint\n                                                               tigators (general schedule job series 1811) and\n      Committee on Printing. Information was also\n                                                               are designated as Special Police Officers by the\n      presented about the various types of pulp used\n                                                               Public Printer. This reporting period, all gen-\n      in producing paper. Special attention was given\n                                                               eral schedule 1811 Criminal Investigators were\n      to the process by which recycled paper becomes\n                                                               granted special deputation by the U.S. Marshals\n      post- consumer waste pulp, which is a required\n                                                               Service. Over the last 2 years, OI has continued\n      component in a significant percentage of the\n                                                               to develop an inventory of complex criminal and\n      paper used in Federal printing. The training pro-\n                                                               civil investigations requiring nationwide travel\n      vided valuable information about ongoing prod-\n                                                               and frequent coordination with DOJ. The addi-\n      uct substitution investigations and potential joint\n                                                               tional authority granted through special depu-\n      OI/OAI initiatives.\n                                                               tation will allow OI to independently investigate\n     \tPersonnel from OI and OAI also toured a de-ink-\n     \xe2\x97\x8f\n                                                               contractors throughout the United States and act\n      ing and post-consumer waste pulp production              as the lead agency when executing search and\n      facility. The tour provided in-depth exposure on         arrest warrants.\n\n\n\n\n36   Off i c e o f I n s p e c t o r G e n e r a l\n\x0ca ppen dices\n\n\n\n\nAPPENDIX A\nGlossary and Acronyms\n\nGlossary\n     Allowable Cost - A cost necessary and reasonable for the proper\nand efficient administration of a program or activity.\n     Change in Management Decision - An approved change in the\noriginally agreed-upon corrective action necessary to resolve an IG\nrecommendation.\n     Disallowed Cost - A questionable cost arising from an IG audit\nor inspection that management decides should not be charged to the\nGovernment.\n     Disposition - An action that occurs from management\xe2\x80\x99s full\nimplementation of the agreed-upon corrective action and identifica-\ntion of monetary benefits achieved (subject to IG review and approval).\n     Final Management Decision - A decision rendered by the GPO\nResolution Official when the IG and the responsible GPO manager are\nunable to agree on resolving a recommendation.\n     Finding - Statement of problem identified during an audit or\ninspection typically having a condition, cause, and effect.\n     Follow-up - The process that ensures prompt and responsive\naction once resolution is reached on an IG recommendation.\n     Funds Put To Better Use - An IG recommendation that funds\ncould be used more efficiently if management took actions to imple-\nment and complete the audit or inspection recommendation.\n     Management Decision - An agreement between the IG and\nmanagement on the actions taken or to be taken to resolve a rec-\nommendation. The agreement may include an agreed-upon dollar\namount affecting the recommendation and an estimated comple-\ntion date unless all corrective action is completed by the time agree-\nment is reached.\n     Management Implication Report - A report to management\nissued during or at the completion of an investigation identifying\n\n\n\n\n                 S e m i a n n u a l r e p o r t t o c o n g r e ss       37\n\x0c     systemic problems or advising management of sig-\n     nificant issues that require immediate attention.\n          Material Weakness - A significant deficiency, or\n     combination of significant deficiencies, that results\n     in more than a remote likelihood that a material mis-\n     statement of the financial statements will not be pre-\n     vented or detected.\n          Questioned Cost - A cost the IG questions\n     because of an alleged violation of a law, regulation,\n     contract, cooperative agreement, or other document\n     governing the expenditure of funds; such cost is not\n     supported by adequate documentation; or the expen-\n     diture of funds for the intended purposes was deter-\n     mined by the IG to be unnecessary or unreasonable.\n          Recommendation - Actions needed to correct or\n     eliminate recurrence of the cause of the finding iden-\n     tified by the IG to take advantage of an opportunity.\n          Resolution - An agreement reached between the\n     IG and management on the corrective action or upon\n     rendering a final management decision by the GPO\n     Resolution Official.\n          Resolution Official - The GPO Resolution\n     Official is the Deputy Public Printer.\n          Resolved Audit/Inspection - A report contain-\n     ing recommendations that have all been resolved\n     without exception, but have not yet been imple-\n     mented.\n          Unsupported Costs - Questioned costs not\n     supported by adequate documentation.\n\n\n\n\n38   Off i c e o f I n s p e c t o r G e n e r a l\n\x0cAbbreviations and Acronyms\nAICPA\tAmerican Institute of Certified Public              IPA\tIndependent Public Accountant\n         Accountants                                      IPv6\tInternet Protocol version 6\nCA\tCertification Authority                                IT\tInformation Technology\nCIGIE\tCouncil of Inspectors General on                    IT&S\tInformation Technology and Systems\n         Integrity and Efficiency                         IV&V\tI n d e p e n d e n t Ve r i f i c a t i o n a n d\nCMS\tCenter for Medicare and Medicaid                            Validation\n         Services                                         MIR\tManagement Implication Report\nCPS\tCertification Practices Statement                     OA\tOrganization Architects\nCOA\tContinuity of Access                                  OALC\tOf f ice of Ad m i n ist rat ion/L ega l\nCOOP\tContinuity of Operations                                   Counsel\nCOTR\tContracting Officer\xe2\x80\x99s Technical                      OAI\tOffice of Audits and Inspections\n         Representative                                   OGC\tOffice of General Counsel\nDE\t      Delegated Examining                              OI\tOffice of Investigations\nDHS/CPB\t Department of Homeland Security/                 OIG\tOffice of Inspector General\n         Customs and Border Patrol                        OMB\tOffice of Management and Budget\nFDsys\t   Federal Digital System                           OPM\tOffice of Personnel Management\nFISMA\t   Federal Information Security                     OWC\tOffice of Workers\xe2\x80\x99 Compensation\n         Management Act                                   PII\tPersonally Identifiable Information\nFY\t      Fiscal Year                                      PKI\tPublic Key Infrastructure\nGAO\tGovernment Accountability Office                      PO\tPrivacy Officer\nGBIS\tGPO\xe2\x80\x99s Business Information System                    PPPS\tPassport Printing and Production\nGPO\tU.S. Government Printing Office                             System\nHSPD-12\t Homeland Securit y President ial                 PTR\tProblem Tracking Report\n         Directive-12                                     RPPO\tRegional Printing Procurement Office\nICAO\tI n t e r n a t i o n a l C i v i l Av i a t i o n   SAS\t  Statement on Auditing Standards\n         Organization                                     SCC\t  Secure Credential Center\nIG \tInspector General                                     SID\t  Security and Intelligent Documents\nIG ACT\tGPO Inspector General Act, as                      SPF\t  Secure Production Facility\n         amended                                          TTP\tTrusted Traveler Program\n\n\n\n\n                                                          S e m i a n n u a l r e p o r t t o c o n g r e ss        39\n\x0c     APPENDIX B\n     Inspector General Act Reporting Requirements\n\n         Inspector General                                                                   Cross-Reference\n                                    Requirement Definition\n         (IG) Act Citation                                                                    Page Number(s)\n\n\n\n         Section 4(a)(2            Review of Legislation and Regulations                                   8\n\n\n\n\n         Section 5(a)(1)           Significant Problems, Abuses, and Deficiencies                      22\xe2\x80\x9329\n\n\n\n\n         Section 5(a)(2)           Recommendations for Corrective Actions                              22\xe2\x80\x9329\n\n\n\n\n         Section 5(a)(3)           Prior Audit Recommendations Not Yet Implemented                     24\xe2\x80\x9329\n\n\n\n\n         Section 5(a)(4)           Matters Referred to Prosecutorial Authorities                       32\xe2\x80\x9335\n\n\n\n\n         Section 5(a)(5)           Summary of Refusals to Provide Information                            N/A\n\n\n                                   OIG Audit and Inspection Reports Issued (includes total\n         Sections 5(a)(6) and\n                                   dollar values of Questioned Costs, Unsupported Costs,               22\xe2\x80\x9324\n         5(a)(7)\n                                   and Recommendations that Funds Be Put To Better Use\n\n\n                                   Statistical table showing the total number of audit\n         Section 5(a)(8)                                                                                  41\n                                   reports and the total dollar value of questioned costs\n\n\n                                   Statistical table showing the total number of audit\n         Section 5(a)(9)           reports and the dollar value of recommendations that                   42\n                                   funds be put to better use\n\n\n                                   Summary of prior Audit and Inspection Reports issued\n         Section 5(a)(10)                                                                                N/A\n                                   for which no management decision has been made\t\n\n\n                                   Description and explanation of significant revised man-\n         Section 5(a)(11)                                                                                N/A\n                                   agement decision\n\n\n                                   Significant management decision with which the IG is in\n         Section 5(a)(12)                                                                               N/A\n                                   disagreement\n\n\n\n         48Section 5 (a) (14\xe2\x80\x9316)   Peer Review Results                                                47\xe2\x80\x9348\n\n\n\n40   Off i c e o f I n s p e c t o r G e n e r a l\n\x0cAPPENDIX C\nStatistical Reports\nTable C\xe2\x80\x931: Audit Reports With Questioned and Unsupported Costs\n\n\n                                               Questioned     Unsupported\n    Description                                                                              Total\n                                                   Costs               Costs\n\n\n    Reports for which no management decision\n    made by beginning of reporting period              $0                  $0                    $0\n\n\n\n\n    Reports issued during reporting period             $0                  $0                    $0\n\n\n\n\n    Subtotals                                          $0                  $0                    $0\n\n\n\n\n    Reports for which a management decision\n    made during reporting period\n    \xe2\x80\x83 1. Dollar value of disallowed costs              $0                  $0                    $0\n    \xe2\x80\x83 2. Dollar value of allowed costs                 $0                  $0                    $0\n\n\n\n\n    Reports for which no management decision\n                                                                           $0\n    made by end of reporting period                    $0                                        $0\n\n\n\n    Reports for which no management decision\n    made within 6 months of issuance                   $0                  $0                    $0\n\n\n\n\n                                                      S e m i a n n u a l r e p o r t t o c o n g r e ss   41\n\x0c     Table C\xe2\x80\x932 : Audit Reports With Recommendations That Funds\n     Be Put to Better Use\n\n\n                                              Number of   Funds Put To\n         Description\n                                               Reports     Better Use\n\n\n\n\n         Reports for which no management\n         decision made by beginning of\n                                                      0             $0\n         reporting period\n\n\n\n\n         Reports issued during the\n                                                      0             $0\n         reporting period\n\n\n\n\n         Reports for which a management\n         decision made during reporting\n         period\n         \xe2\x97\x8f \x07 ollar value of recommendations\n           D                                          0             $0\n           agreed to by management\n         \xe2\x97\x8f \x07\n           Dollar value of recommendations            0             $0\n           not agreed to by management\n\n\n\n\n         Reports for which no management\n         decision made by the end of the\n                                                      0             $0\n         reporting period\n\n\n\n\n         Report for which no management\n         decision made within 6 months of\n                                                      0             $0\n         issuance\n\n\n\n\n42   Off i c e o f I n s p e c t o r G e n e r a l\n\x0cTable C\xe2\x80\x933 : List of Audit and Inspection Reports Issued\nDuring Reporting Period\n\n\n                                                               Funds Put To\n    Reports\n                                                                Better Use\n\n\n\n    Report on Federal Digital System (Fdsys) Independent\n    Verification and Validation \xe2\x80\x93 Eleventh Quarter Report on\n    Risk Management, Issues, and Traceability\n    (Assessment Report 10\xe2\x80\x9307, issued June 18, 2010)                      $0\n\n\n\n\n    Report on Federal Digital System (Fdsys) Independent\n    Verification and Validation \xe2\x80\x93 Twelfth Quarter Report on\n    Risk Management, Issues, and Traceability\n                                                                         $0\n    (Assessment Report 10\xe2\x80\x9308, issued September 16, 2010)\n\n\n\n\n    Report on WebTrust Assessment of GPO\xe2\x80\x99s Public\n    Key Infrastructure Certification Authority \xe2\x80\x93 Attestation\n    Report (Assessment Report 10\xe2\x80\x9309, issued September\n                                                                         $0\n    20, 2010)\n\n\n\n\n    Total                                                                $0\n\n\n\n\n                          S e m i a n n u a l r e p o r t t o c o n g r e ss   43\n\x0c     Table C\xe2\x80\x93 4 : Investigations Case Summary\n\n\n         Total New Hotline/Other Allegations Received during\n         Reporting Period                                      43\n\n\n\n         No Formal Investigative Action Required                6\n\n\n\n         Investigations Opened by OI during                     8\n         Reporting Period\n\n\n         Investigations Open at Beginning of                   33\n         Reporting Period\n\n\n         Investigations Closed during Reporting Period          8\n\n\n\n         Investigations Open at End of Reporting Period        33\n\n\n\n         Referrals to GPO Management                           12\n\n\n\n         Referrals to Other Agencies                            5\n\n\n\n         Referrals to OAI                                       2\n\n\n\n\n44   Off i c e o f I n s p e c t o r G e n e r a l\n\x0cCurrent Open Investigations by Allegation            33\n\n\n\nProcurement Fraud                                    20            61%\n\n\n\nEmployee Misconduct                                   7            21%\n\n\n\nWorkers\xe2\x80\x99 Compensation Fraud                           3            9%\n\n\n\nOther Investigations                                  2            9%\n\n\n\n\n                                            \xe2\x96\xa0\xe2\x96\xa0\xe2\x80\x82 Procurement Fraud\n                                            \xe2\x96\xa0\xe2\x96\xa0\xe2\x80\x82 Employee Misconduct\n                                            \xe2\x96\xa0\xe2\x96\xa0\xe2\x80\x82 Workers\xe2\x80\x99 Compensation Fraud\n\n\n                                            \xe2\x96\xa0\xe2\x96\xa0\xe2\x80\x82 Other Investigations\n\n\n\n\n                       S e m i a n n u a l r e p o r t t o c o n g r e ss     45\n\x0c     Table C\xe2\x80\x935 : Investigations Productivity Summary\n\n         Arrests\t                                                    0\n\n         Total Presentations to Prosecuting Authorities\t             9\n\n         Criminal Acceptances\t                                       1\n\n         Criminal Declinations\t                                      5\n\n         Indictments\t                                                0\n\n         Convictions\t                                                0\n\n         Guilty Pleas\t                                               0\n\n         Probation (months)\t                                         0\n\n         Jail Time (days)\t                                           0\n\n         Civil Restitutions\t                                         0\n\n         Civil Acceptances\t                                          1\n\n         Civil Agreements\t                                           1\n\n         Civil Declinations\t                                         0\n\n         Amounts Recovered Through Investigative Efforts\t            0\n\n         Total Agency Cost Savings Through Investigative Efforts\t    0\n\n         Total Administrative Referrals\t                            12\n\n         Contractor Debarments\t                                      0\n\n         Contractor Suspensions\t                                     0\n\n         Contractor Other Actions\t                                   0\n\n         Employee Suspensions\t                                       5\n\n         Employee Terminations\t                                      1\n\n         Other Law Enforcement Agency Referrals\t                     5\n\n\n\n\n46   Off i c e o f I n s p e c t o r G e n e r a l\n\x0cAPPENDIX D                                               February 5, 2005, was in full compliance with the qual-\n                                                         ity standards established by the President\xe2\x80\x99s Council on\nPeer Review Results\n                                                         Integrity and Efficiency (PCIE)/Executive Council on\nThis appendix complies with Section 5(a)(14)-(16) of     Integrity and Efficiency (ECIE). The safeguards and\nthe IG Act of 1978, as amended.                          procedures provide reasonable assurance of conform-\n                                                         ing with professional standards in the conduct of its\nA. Peer Review of the Audit Function\n                                                         investigations. There are no outstanding recommen-\nIn November 30, 2006, t he Nat iona l Science\n                                                         dations from that peer review.\nFoundation (NSF) OIG issued a Peer Review Report of\n                                                               The GPO OIG investigation function will undergo\nthe GPO OIG audit function. The NSF OIG found that\n                                                         a peer review during this upcoming reporting period.\nthe system of quality control for the audit function\nat the GPO OIG in effect for the year ending March       C. External Peer Reviews\n31, 2006, met the requirements of the quality control    In 2008, the GPO OIG conducted two external peer\nstandards established by the Comptroller General         reviews of the audit and investigative functions of\nof the United States for a Federal Government audit      the Board of Governors of the Federal Reserve System\norganization and complied with during the year end-      (Board) OIG. On March 31, 2008, the GPO OIG issued\ning March 31, 2006, provided GPO with reasonable         an Investigative Peer Review report. We found that\nassurances of conforming with applicable auditing        the system of internal safeguards and management\nstandards, policies, and procedures.                     procedures for the investigative function of the Board\n     The NSF OIG recommended that GPO OIG                OIG in effect for the period ended January 10, 2008, is\nrequest an interim peer review or conduct a compre-      in compliance with the quality standards established\nhensive internal quality control review of its audit     by the PCIE/ECIE, Special Deputation U.S. Marshal\noperations under its new audit policy and proce-         authority, or the Attorney General Guidelines for\ndures manual (issued in July 2006), but due to inad-     Office of Inspectors General with Statutory Law\nequate resources, was not able to conduct a compre-      Enforcement Authority. These safeguards and pro-\nhensive internal quality control review. The GPO OIG     cedures provide reasonable assurance of conform-\naudit function will undergo a peer review during this    ing with professional standards in the conduct of\nupcoming reporting period.                               Board OIG investigations. No recommendations were\n                                                         issued in this report.\nB. Peer Review of the Investigation\n                                                               On September 4, 2008, the GPO OIG issued an\nFunction\n                                                         Audit Peer Review report. We found that the qual-\nThe GPO does not derive its statutory law enforce-\n                                                         ity control system for the audit function of the Board\nment power from Section 6(e) of the IG Act of 1978,\n                                                         OIG in effect for the 18-month period ending March\nas amended; therefore it is not required to undergo\n                                                         31, 2008, met the requirements of the quality control\nan external peer review of its investigation function.\n                                                         standards established by the Comptroller General\nNevertheless, the OIG voluntarily requests such\n                                                         of the United States for a Federal Government audit\nexternal peer reviews.\n                                                         organization and complied with during the year\n     The Farm Credit Administration (FCA) OIG con-\n                                                         ending March 31, 2008, provided the Board OIG with\nducted the last peer review of the GPO OIG investi-\n                                                         reasonable assurances of conforming with appli-\ngation function and issued its opinion on June 1,\n                                                         cable auditing standards, policies, and procedures.\n2005. The FCA OIG found that the system of inter-\n                                                         There are no outstanding recommendations from\nnal safeguards and management procedures for the\n                                                         this peer review report.\ninvestigative function in effect for the period ending\n\n\n\n\n                                                         S e m i a n n u a l r e p o r t t o c o n g r e ss        47\n\x0c\x0c\x0c     U.S. Government Printing Office\n       Office of Inspector General\n732 North Capitol Street, NW, Washington, D.C. 20401\n          202.512.0039 \xe2\x80\xa2 www.gpo.gov/oig\nOIG Hotline 1.800.743.7574 \xe2\x80\xa2 gpoighotline@gpo.gov\n\x0c'